This Red Team Assessment took place right before the easter holidays. An IT company that hosts IT services for several municipalities contacted Orange Cyberdefense Norway because they wanted a physical, social engineering pentest to check their maturity level against such attacks.
In the initial meeting, possible locations they wanted to test came up. Among them was a school in one of the municipalities hosting parts of the IT department’s servers in their building. The parties discussed the main goal for the test, and they decided that I would try and gain access to the server room and see what else I could find that could lead to a potential breach of Confidentiality, Integrity, and Availability (CIA).
After setting the scope, I was ready to delve into information acquisition about the location and possible entry.
When you have a target, finding the correct information is just like walking into a messy room. You glance at all that is lying around and then feel an instant urge to leave because you are convinced you will never get it done. Like cleaning a room, you must begin somewhere, and it will all untangle itself.
I started this assignment by scouring social media and using search engines to navigate my way through all information related to employees and the location itself. I did this to see if I could find a good angle for why I was entering the premises.
The reason for being at a site or asking questions is a pretext in social engineering. A pretext needs to have the answers to why you are there, but you must be able to handle the details of that pretext. When using a pretext, people might ask questions that will make you deviate from the initial plan and improvise. The greater your understanding of all the information related to the target, the easier it is to adapt to any given situation within your pretext. The more you can adjust, the better your pretext.
Finding information that is useful for the pretext can be challenging. I can start with an initial thought on how I should develop my pretext, and more often, I start out feeling lost, wondering what to do or even what angle to use. Open-Source Intelligence (OSINT) helps me out when I feel like this. When reading up on publicly available documents online and social media profiles, I slowly get to know the company and the location. I often find opportunities during this phase, which also happened on this Red Team assignment.
During my OSINT phase, I found a project document for infrastructure change for all schools and daycares in the municipalities. In Norway, such documentation is often available to the public since it is a governmental institution, and transparency is required regarding projects and acquisitions. This project document included blueprints of the buildings, including the school on my target list, and a list of current network equipment and upgrade plans. By looking at the blueprint where all the network equipment was marked, it was possible to pinpoint where the server room was in the building. And by looking at the network equipment list, I acquired knowledge of what was in use at the premises.
This information inspired me to create a pretext around this infrastructure project. It would not be unusual for an IT employee to access the building with network equipment matching the undergoing project. First, I needed to decide why I was going there with the equipment. The IT department was located elsewhere in the area, so I decided to pretend to be an employee. This thought prompted me to read about the IT department employees and their positions. I found a person that was into motorcycles working with networks in the IT department. Since this was during springtime, I thought that it would not be unlikely for him to take a day off to fix his bike for the season and, rather than going himself, send a newly employed junior (me) to do some infrastructure swapping.
I decided to go undercover as a newly employed IT worker since I could not be sure that the ones, I encountered would know the IT department personnel. A new employee could also have a valid reason for not having an access card. Not having an access card or keys meant I would have to find someone who most likely had it. Since server rooms are often restricted, few people have access. Those with access to a school server room besides IT are either janitors or principals. I researched them and decided that the janitor was the most likely option. This choice was made due to the camaraderie that often presents itself between those working in the service and maintenance field. Such as between janitors, IT, and cleaners. In my experience, they are more prone to doing each other favors even outside the protocol.
I now had my pretext:
I was going in as a newly employed IT person doing some infrastructure changes according to the project plan. Since the IT company sent me last minute due to one of the seniors having a day off, I would need to find the janitor and ask him for help to gain access since my keys and access card had yet to arrive.
To further emphasize this pretext, I needed props and suitable clothing. As a former IT operator, I know that dresses are usually not the proper attire when carrying a router. Comfortable and casual wear is more likely. For the props, I had a Cisco router in a box lying around at home. I am guessing that is a working hazard for IT professionals. I printed out the project plan with the blueprint, and I crafted an email that I printed out. In the email, the senior had written to me that he was taking the day off to fix his bike. The email also stated that I needed to go to school and implement a new router. It also said that Adam, the janitor (all names are fictitious), was a nice guy and could probably help me get access. I completed the email with a fake signature with the logo acquired from the company’s homepage. The phone number on the signature was to a male co-worker who would pretend to be the senior IT person if someone called to check.
Due to my OSINT investigation, I knew the layout of the building and the surrounding area. I also knew the face of the janitor I was looking after. When I parked my car and unloaded the router box, I called out to the man I recognized as the janitor walking across the lawn a few meters away from me. Trying to sound as confident as possible, I called: “Hey! Are you Adam?” The janitor stopped and answered me: “Yes?” And I continued explaining my reason for being there, partly showing him the email while presenting the content of it and the reason for me being there. After just a second, he responded: “Well, now you are in luck; I am the only one here with the key.” He offered to carry my box and guided me to the server room. He asked me if it would take time, and I said it might take 15 minutes or more. Then he gave me his number and told me to call him when I was done.
About 2 minutes had passed since I had parked my car. And I was now alone in the server room hosting somewhat critical infrastructure for the IT department.
Since this was a proof-of-concept test and not a complete red team assignment, I put some stickers in unlocked server racks and around the server room to prove I had been there while also taking pictures. It was possible to either grab a server and walk away or gain access from the inside for implementing malware on the servers to which I now had physical access.
When I was done, I called the number and was on my way out without any alarms raised, smiling, and waving to the janitor, who thought he had just helped out a fellow maintenance worker.
If you want more stories where our employees had fun digitally breaking into our customer's premises, inlcuding an in-depth analysis of five years of pentesting reports can be found in the Security Navigator. Get it here.