Posted on 29th April 2013
I’m a college student studying abroad at the University of Pennsylvania, studying a mixture of CS, Physics and Music. This semester I decided to take a course CIS551: Network and Computer Security, eager to learn about the field. This is the story of how as part of the course, I compromised the security of one of my fellow students through social engineering techniques.
For our final project, the class was divided up into two sets of teams, attack and defense. After half way through the project, defense and attack switched. The role of the defense teams was to construct a secure network chat client. In plain English, they had to write a piece of software that would allow two people to communicate over the internet without fear of wiretapping. The aim of the attack side was to disrupt or compromise their system.
For me the excitement came from the attack side. We had learned in class about ‘social engineering attacks’ as a powerful offensive security tool. The basic premise according to wiki is “the art of manipulating people into performing actions or divulging confidential information”. A trick of a con-man. This was a perfect opportunity for me to actually try putting such a technique into practice whilst still remaining well in the bounds of morality and legality. I asked for permission and was soon granted it. The eagle was a’ go.
Phase 1: Information Gathering
First we cross referenced the list of emails on the defense team against the Penn Directory Database. Once we gained full names and school, we cross referenced this against publicly available data using a combination data mining tools and lookups on social networks such as Facebook and LinkedIn. These were used to build profiles, including photos of potential targets. In our attack proposal we also listed social engineering to warn them of it.
Phase 2: Gaining Rapport/Trust
The next phase of the social engineering attack involved multiple steps. The plan was to place a mole outside the classroom in the engineering building posing as a recruiter from a prestigious company, offering summer internships! First up was obtaining a domain name and email address for use in the attack. We picked X (name redacted) to be the company we would replicate as they are known for being secretive and security focused. We thus registered Xrecruting.com and had the address forward to X.com for authentic looks, while using emails registered to that domain for our purposes.
Next I waited around the engineering buildings looking for a junior administrative assistant or janitor and upon finding one, convinced them that I needed a Penn Lanyard urgently for my senior design presentation as I had forgotten mine. I was soon granted a lanyard and next the team photoshopped a X badge with the face of our ‘recruiter’ (another Penn student) in order to simulate authenticity. We also printed advertising posters to place outside the classroom for further realism. We then placed our mole outside the 551 classroom dressed up in a X t-shirt (purchased online) with the fake badge, the posters, and a laptop set up with a survey. Our representative advertised summer internships in security. A number of students from the class fell for it and entered their information in the survey.
Next we gained further rapport by reaching out to the targets via email. First we initiated contact asking for basic details a resume etc:
“This is Joseph from X, we met earlier today. The team and I are very eager to find a candidate that fits our openings here… “
It wasn’t long before our target replied, eager to seize the opportunity:
“…please find attached herewith my resume for your kind perusal…I have fair bit of knowledge in Networks and Network Security.”
The game was on, he was falling for it! However, it was one thing to have his trust, but for us to actually use it in some way, we needed to push this further.
Phase 3: Exploitation
To exploit our position of power we had many options, some of which would be pushing the assignment over the edge. With this level of trust it would be feasible to gain access to information protecting online accounts, a very scary thought. However, we decided to go down a different route and instead convinced them of the need to review their source code for recruitment purposes. This allowed us to analyze their code for potential exploits.
“My team operates mainly on a Java codebase. Do you have any experience in the area?
We’ll also get you to submit a few simple coding exercises and perhaps the code from a previous project to see if you’re a good fit.”
We exchanged a few more emails back and forth but it wasn’t really getting anywhere. I decided to press a little harder being relatively sure of his trust:
“…In looking into specifically which project you would be working on, it would also be good to know if you had any experience in crypto protocols and defensive infrastructure. In regards to this I have two questions. Firstly, is there a professor I could contact in regards to the syllabus and, secondly is there anything that matches this description that you have engaged in as far as you know…
Could you possibly let me know feasible times in the next week for an interview?
Also, are there any current projects in Java you are working for which a codebase is available for our engineers to review? Even a work in progress is fine. We’re really interested in seeing material and your personal projects from this course given the nature of the internship….”
Finally we struck gold! A few hours later the following appeared in my inbox:
“Please find attached herewith 2 java source code files. (server.java and client.java)
These are for a basic chat system application. Further, me and my group would be adding some encryption techniques in it (I ll send you those once we start working on it and progress to some level)”
Please find attached herewith 2 java code files for a chat system with AES encryption.
In the final copy they submitted they had hard coded their AES key, this would be easier than I thought! However this wasn’t quite good enough. It would still be difficult to intercept their communication, much less read their messages.
Next I simulated a discussion between the professor and X granting access to the ‘recruiter’ to come visit the demo.
“I have some exciting news and a question for you. I have been informed by Professor Smith that the class has upcoming demos on attack/defense and focusing on network vulnerabilities. I have his permission and now I need yours, to come and watch you demo live….”
“——– Original Message ——–
Subject: Re: CIS551 Security Recruitment
From: X <X@cis.upenn.edu>
Date: Sun, April 21, 2013 11:41 am
To: “joseph@Xrecruiting.com” <joseph@Xrecruiting.com>
I’d be happy to let you and your team come visit my students on Monday during Network Security demos they are undertaking using chat systems they have coded.”
The target replied with the affirmative, very eagerly inviting our recruiter in.
“Yes absolutely. You are most welcome. Its this Monday at 4pm in Engineering Building.
Hope to see you there.”
“My contact no. is REDACTED if you need any help with location or anything.”
Today being demo day, the stage was all set, and our fake recruiter was again in place. I had given her my new wifi enabled camera to stream a screencap of the enemies messages direct from their screen as they typed, to where my team was sitting a few meters away.
Throughout the demo my team acted as all the other attack teams had, using DDoS, ARP Poisoning and other standard network attacks, to try to compromise their server. However we really had a trump card. Both their encryption key and better yet, the plaintext of their messages.
After launching our usual slew of attacks on their code (most of which worked anyway), we closed the demo and went to meet the other team. When asked if we had any more attacks, I motioned to the recruiter to pass me the camera and as she handed it over, our opponents faces took on stunned looks. It took a good few minutes to convince them of the depth of our attack. Successfully executing this was such an amazing feeling.
I’ve not yet received my grade for the course, but I feel that more than anything this was a fantastic learning experience before I head out soon to look for a position in industry or for higher study.
I’ve linked below the email log with names and emails redacted for the perusal of my readers with permission of the opposing team. It’s quite the read. Enjoy.