Title: Baiting Attack Exercise The Old School Way

Still Works.
In the past few months, we have had quite a few social
engineering and client-side penetration tests, and, as you
have probably noticed from my previous posts, these are
the types of tests I enjoy doing, a lot.
Let me start this blog post briefly describing our usual
approach and results for one of the baiting attack
exercises we have performed. In this particular case, we
have used traditional and old school techniques that still
work.
Baiting attacks could be very similar to phishing attacks,
however, instead of using email as the delivery method of
the attack we use different ways of physical media which
relies on the curiosity or sometimes even greed of the
victims.
After gathering a list of full names, working address and
position for all of the associates of an organization, the
Trustwave consultants carefully analyzed this list and
decided to target a certain number of employees per
location.
After having decided on the targets, the next step was to
choose which attack method we were going to be using for
that specific case. The Trustwave consultants decided on
trying to impersonate users (most of them part of sales
team) with a custom message requesting users to update
their local Anti-Virus software. Yes, we know, its really old
school, but you would be surprised on how effective this
is.
The physical medias have been delivered by postal service
to each one of the targets along with a letter with details
about the (fake) antivirus update and instructions on how
to install either the CD-ROM or USB pen-drive that was
also included in the packages.

Below is one of the templates used for these types of

attacks, the real letters had real names of the targets, and
replaced thumbdrive with CD-ROM accordingly.
Dear $Employee-First-Name:
During a recent internal security analysis, we have
identified that your computer is running an
outdated version of our Anti-virus software because
of the recent issues in the network of your
$Physical-Location.
As you understand, this creates a potential hazard
to the safety of the company, and we need your
cooperation to provide an immediate solution.
This package you received includes a USB
thumbdrive containing the Anti-virus update that
will fix the root cause of the problem. Please,
connect the USB pen-drive to your computer and
run the following instructions to install the update:
1. Double click on the icon "My Computer".
2. Double click on the removable disk icon that
corresponds to the USB pen-drive.
3. Double click on the file "Anti-Virus Update"
If the update was performed correctly, you will see
the following message: "Anti-virus updated
successfully". Once you follow these instructions,
your Anti-virus will be updated and actively
protecting your computer against future threats.
We appreciate your help to protect assets,
employees and customers of $Company-TargetName.
Sincerely.
$Company-Target-Name
Information Security Team
$Customer-Address

For these types of engagements we usually use from

normal USB thumbdrives, to U3 thumbdrives and
sometimes even CD-ROMs all of them customized with
an Anti-Virus logo and with an autorun application. We
usually also need to use a customized payload that was a
light version of the one described in a previous post of this
blog:
http://blog.spiderlabs.com/2012/08/client-side-payloadthe-brazilian-way.html
At the end of this one particular exercise, from the 15
packages sent, 1 of them has actually resulted in a
compromised. The interesting part though is that the user
that has been compromised, not only was one of the
original targets but neither worked at the target location.
At another baiting exercise we decided to target two
additional locations. The Trustwave consultants, while
walking by one of the buildings, threw 2 USB thumbdrives
on the parking lot. Both of these drives had a customized
logo that, on purpose, would be of much interest for any
associate of that particular organization. This would also
increase the chances of a curious associate to simply plug
that drive in their computer.
On the second building, we decided to throw 1 USB drive
on the garage, and a second drive has been silent dropped
on the sidewalk in front of the building, the third one in the
reception. All these 3 USB drives also had a custom logo
on it.
The outcome of the exercise was: One of the two USB
thumbdrives thrown at "Building1" was opened a few days
later by a person, that happened not to be an associate of
that organization, but was later identified as one of the
organization's executives private driver. Hence, this drive
was opened from the driver's computer and not one of the
computers that actually belonged to the organization.

The screenshot below shows the driver's face when he

opened the fake confidential USB drive. Does anyone
disagree that he was quite curious?

One of the three USB pen-drives thrown at the second

building was opened 2 hours later by a person, which has
been identified later by their username, as one of the
physical security staff. Although this particular person did
not have many privileges in the organizations computers,
the Trustwave consultants were able to see the software
used to manage all physical security control (badges, main
entrances, cameras, etc).
It is also important to note that the Trustwave consultants
were able to escalate privileges to local administrator by
using a technique called "Named Pipe Impersonation".
With that, the Trustwave consultants were able to retrieve
the WPA pre-shared key stored on the Windows registry
and consequently join the wireless network that allowed
full access to many systems. This same WPA pre-shared
key was really strong and very unlikely could be guessed
via brute-force or dictionary attacks.

This attack was very simple and used old school

techniques, however it's still very effective as
demonstrated above. At this point of compromise a real
attacker could then be very dangerous and be able to
compromise the internal network, just like one would do if
present within the organization. Is your company prepared
for this kind of attack?