Recently, I had the opportunity to perform a social engineering penetration test in an Arabic country. Many Americans would feel similar to the way I did in the preparation days before the test. Will the culture gap cause me to offend someone? Will the language gap land me in jail? What am I going to use as a pretext when I really know nothing about their culture? The last time I was in this country was 20+ years ago (I know, I am dating myself) when I was very young in the U.S. Military and not able to tour much to experience the culture. Certainly things have changed since then.
To my very pleasant surprise, this culture is one of the most friendly and welcoming ones that I have ever experienced. The company that hired us came to our hotel the morning after we arrived and offered to buy us refreshments; we should be buying refreshments for them! Every person we walked past on the street greeted us with a friendly smile. The restaurant manager came to our tables to greet us and seemed like they genuinely cared about our dining experience, especially in the “American” restaurants. They wanted to know how our meal and service was compared to the same restaurant in the States, and most of the time, it was better! Extraordinary! Family life here is what I remember growing up. Kids are actually outside. You would think in the U.S. that going out to play has been banned compared to how it is here.
Due to these cultural niceties, the social engineering test ended up being way easier than we could have ever expected. We were turned loose to attempt to get into two buildings. These two buildings had security guards at each entrance and RF proximity badge access to get into all of the doors except the front door. The pretext that we decided to use was that we were there to perform building inspections so we could model a new office like this one.
We walked up to the security guard in the Information Security building and told him that we were there to see the IS guys that hired us. Their names were easily found on a LinkedIn search, so our attempt was not using any insider exclusive information. The guard asked for our ID cards, then handed us a guest badge and told us what floor we could find our “contacts” on. No phone call. No further questioning. Just… access!
We took our newly acquired guest badges and walked to one of the other buildings up to the proximity card turnstiles. Our badges did not work in this building. After trying to communicate this to the security guard, he just let us in using his own badge. We entered the elevator corridor, tucking the guest badges into our pockets so that people would not know that we were just “guests.” With our get-out-of-jail cards in hand, we decided to see just how much we could get away with.
We entered the elevator and decided to start at the top floor and work our way down. With a cell phone recording video, we exited the elevator on the sixth floor and quickly realized that this floor was for the chairmen of the company. Nice carpeting, mahogany desks, and marble walls… we entered to check it out. We walked in like we were supposed to be there, right past the receptionist and into their office and boardroom area. A man in a very nice suit that knew that we had absolutely no business being there quickly challenged us. We told him that we were there to inspect the building, but he told us that we needed to go to a different floor to do that. First try, partial success.
We went back into the elevator and proceeded to go down to the fifth floor. The doors open and we are on the floor with their NOC. This door had a biometric finger scanner as well as the proximity badge access, so there was no way we were getting into that office with our guest badge. There was a security guard posted on that floor, but he did not speak much English. We kept trying to express to him that we needed to be in there by talking and pointing in the direction of the doors, finally we walked to the doors and he started tapping on the glass to get the attention of someone inside. After a few minutes, someone came to the door and opened it. They talked for a bit and the NOC employee asked us what we needed. We explained, but we were denied access.
The next floor down was their data center. It had the same setup as the floor with the NOC; guard out front, biometric finger scanner and proximity badge access. Talking with the guard, we found out that he did not have access into that space and it was also unmanned, so we would not be able to get into there either. On to the next floor!
The next two floors were a complete success. We tailgated employees into these office spaces and walked around, completely unchallenged. There were people that looked at us, probably wondering who we were and what we were doing, but no one stopped us. We took pictures and videos of the entire walk around, highlighting unlocked and unattended computers, and documents lying unattended on desks. We had hit the jackpot!
After spending about 30 minutes walking around those two floors, we decided to go to the other building and see what we could do there. *****We left with our guest badge assuming that it also would not work. ********We bypassed the security desk and walked right up to the turnstiles, but our badges did not work. We walked back to the security desk and showed them our badges, explained that we needed to be in the building, but they were not working. Again, with no questions or phone calls, they swapped out our badge from the other building for a badge that would work! Off to the top floor to start again!
Upon exiting the elevator, there were doors right away that needed badge access. Our badges, however, did not grant us access. We saw someone sitting close to the doors, so we tapped on the glass to get their attention. He came to the door and we explained that we needed to be there and our badge was not working. He allowed us in and went and sat back down. Again, camera rolling, we walked the entire floor capturing more video of unlocked workstations and documents left unattended.
The rest of the building was exactly the same. Our badge did not work on any of the doors, but getting the attention of employees and giving them a brief explanation of why we were there got us access to every floor in that building.
Our walking around and talking to each other while pointing at things and nodding worked completely perfectly. No one ever questioned why we were there. Everyone completely trusted us the entire time. Had we been malicious people, we could have done anything that we wanted to that company. We could have stolen documents. We could have accessed many employees’ computers. We could have left a drop box plugged in somewhere. No one would have ever known. We had basically taken our biggest fear of this engagement, language and cultural differences, and turned it into our biggest asset.
In summary, there is one key point that needs to be remembered with every social engineering engagement: Believe that you are who you say you are and believe that you are supposed to be where you are. If you can believe this, with every part of your being, chances are you will always be successful. Walking around, making yourself look important and not acting like you are lost, aids in not being challenged. When you are abroad, use things like language and cultural differences to your advantage, they will likely help you out more than they will hinder you.
Happy social engineering!
This article was written by Paul Koblitz @ph4que | Staff Security Consultant