This article is part # 3 in the series on Penetration Testing. The first in this series talks about Penetration testing as a profession and a general introduction. The second introduces you to some critical keywords and security tips you need to be aware of before proceeding through the rest of this series.
When you are performing the role of a security/pen tester, sometimes just having the right tools and skills is not enough. Either they are not enough or there are easier ways to get the management to understand how easy it is for someone to walk in and walk out with the keys to their “fort”.
One of the first things I want to share with you is what my Professor of a Security Class I took while I was an Undergrad at Florida Tech shared with us. So, he was performing a penetration test at a company and he was negotiating the price for which he is willing to perform the pen test of the company’s network. Apparantly, the company was driving a hard bargain. Finally, it reached an ultimatum situation and so the company asks… “why should we pay you so many X dollars more? Are you that Good?” or something on those lines. So my professor excuses himself from the meeting room on the pretext of using the rest room. He walks around the floor on which the meeting was set up. Here is what he finds. He finds passwords on Employees monitors, including in front of an employee who had an “Emergency Response Team” sign sitting outside his cube. As he is walking past he sees the Project Manager’s laptop bag with disks and flash drives in it, sitting outside near the receptionist or an employee’s desk. He just informs the lady that he was told to bring the bag inside, takes out the flash drive. He logs into one of the terminals, grabs some credentials stored on the flash drive, makes printouts of some confidential documents and brings it back to the meeting room, all within a time frame of around 5-10 minutes. No one asked any questions. My professor got the price he asked for and more and the company had an excellent pen test analysis done.
So what is the moral of this story: No matter how strong your filters are set or firewall configured. You must always take caution against the insider attack. You are only as strong as your weakest link. In this business, sometimes, we need to employ tactics such as social engineering amongst others to get our job done. In this article, I will talk about some of these tactics.
1. Using a Keylogger: Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. A simple google search on download keyloggers gives you plenty of results. You might want to use a professional keylogger tool such as KeyKatcher or KeyGhost. While you are performing a security test on a system, keyloggers can be a helpful tool. However, please make sure that you have permission from the company to do something like this.
2. The ability to pick locks: Okay, this is one skill I don’t have too but if you are performing the role of a pen tester, remember that if something was stolen or picked from the company, it rather be you than some attacker. When performing a test, know the kinds of locks used by the company to secure its prime assets such as server rooms etc. While most companies these days are using card access, you might be in luck if they are using the traditional lock. An excellent paper highlighting the need for physical security is the “MIT Guide to Lock Picking” by an author who calls himself Ted the Tool. If you are going in this direction, contact your nearest law enforcement agency, fill out the necessary forms and get certified. The ability to pick the lock of a server room could be a valuable asset while performing a security test at a company. Again, please make sure you have permission from the company to do something like this.