Social Engineering
Lab
By: Kenneth D. Stewart
Objective: The objective of this lab is to familiarize the students with a common
hacking practice known as Social Engineering.
Cert article
http://www.cert.org/incident_notes/IN-2002-03.html
Cert statistics
http://www.cert.org/stats/#incidents
What is Social Engineering?
Social engineering is the basic practice of gathering information about a network
without using a direct approach to the network by asking questions, dumpster diving, or
pretending to be an IT person to gain access to user ids, passwords, or information on the
network. Carnegie Mellon Software Engineering Institute states, “that there have been
over 137,529 social engineering attacks reported to www.CERT.org in 2003 alone.”
Why do people use Social Engineering?
Simply put, it is the cheapest and easiest method to gain access to network or
computer resources without having to “hack” the system or as Kevin Mitnick stated
before a congressional hearing, “It was quest for knowledge, it was the thrill, and there
was the intellectual challenge.” (Mitnick) Read the full interview at the link below.
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html
Examples of how Social Engineering works?
Situations vary, but one thing is certain, the information was given out easily,
freely, and quickly. Information is a valuable tool and should be secured as per a
Computer Security Policy. Remember that the majority of businesses do not have one in
place.
Project created by: K. Stewart
Case Event
One morning, a group of strangers walked into a large shipping firm and walked
out with access to the firm’s entire corporate network. How did they do it? By obtaining
small amounts of access, bit by bit, from a number of different employees in that firm.
First, they did research about the company for two days before even attempting to set foot
on the premises. For example, they learned key employees’ names by calling HR. Next,
they pretended to lose their key to the front door, and a man let them in. Then they "lost"
their identity badges when entering the third floor secured area, smiled, and a friendly
employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to enter his office and
obtain financial data off his unlocked computer. They dug through the corporate trash,
finding all kinds of useful documents. They asked a janitor for a garbage pail in which to
place their contents and carried all of this data out of the building in their hands. The
strangers had studied the CFO's voice, so they were able to phone, pretending to be the
CFO, in a rush, desperately in need of his network password. From there, they used
regular technical hacking tools to gain super-user access into the system.
http://www.securityfocus.com/infocus/1527
Lab Portion:
****NOTE****
This portion of the lab is for educational purposes only and should not be
used to steal, damage, alter or manipulate any computer system or network as per
the acceptable use policy.
Instructions:
The students will be divided into groups of 3 or 4 students. The instructor will
closely monitor the groups as they put together a plan that will allow them to gain as
much information about a computer system or network on the Del Mar College campus
without the use of a computer. Strictly by asking questions or gathering information
from easily accessible locations. (example: Trash can) The data that is gathered will be
compiled and presented as a group project to the class. The written report will be 5 pages
And include any countermeasures that can be put in place.
Examples: (Assuming the STC at the library were the target)
These questions are just examples: Students can use them or make up their own.
Project created by: K. Stewart
1. Casually ask one of the workers at the STC in the library (checked with Vic
Hatcher and he stated this would be fine) how many computers they have.
Why would this information be important to a potential hacker?
2. Casually ask one of the workers at the STC in the library what OS the computers
are using.
Why would this information be important to a potential hacker?
3. Casually ask one of the workers at the STC in the library if they know the IP
address information for their computer.
Why would this information be important to a potential hacker?
4. Casually ask one of the workers at the STC in the library if they are using a
firewall because you are having problems with your software.
Why would this information be important to a potential hacker?
5. Casually ask one of the workers at the STC in the library if any of the computers
use a modem.
Why would this information be important to a potential hacker?
6. Casually ask one of the workers at the STC in the library if they know the
password to the computer.
Silly enough, why would this information be important to a potential hacker?
7. Casually ask one of the workers at the STC in the library if the network uses an
intrusion detection system of some kind because your software isn’t working.
Why would this information be important to a potential hacker?
This portion allows a computer at the target location to be used.
8. Ask if you can use one of the computers in the STC in the library, accidently
forgetting your ID card.
Why would this be important to a potential hacker?
Project created by: K. Stewart
Using a program called SamInside demo version to try and gain password information.
The program is small enough to fit on a floppy disk and can be used to capture SAM file
information.
http://www.topshareware.com/SAMInside-download-5188.htm
SAMInside program has the following functions:



Gaining user data from the Windows NT/2000/XP/2003 SAM-files.
Gaining the user passwords using the Windows NT SAM-files.
Gaining the user passwords using the Windows 2000/XP/2003 SAM-files encrypted by
the Syskey!
SAMInside breaks the Syskey protection (full version only)
SAMInside performs the brute-force attack several times faster than analogues due to that
the program code is written on Assembler and thoroughly optimized under the modern
processors.
The brute-force attack speed of the SAMInside under different processors:
Forcing speed on LMHash
Forcing speed on NTHash
Intel Pentium-III 1000 MHz
Processor
~3,2 million passwords/sec
~3,3 million passwords/sec
AMD AthlonXP 1700+ (1466 MHz)
~5,7 million passwords/sec
~5,1 million passwords/sec
Intel Pentium-4 2500 MHz
~3,7 million passwords/sec
~5,4 million passwords/sec
One more feature is it's the most correct extract of the user names and passwords from the
Windows NT/2000/XP/2003 SAM-files in the national encoding.
The program works under the Windows (from Windows 95 up to Windows 2003) and demands
any x86 line processor above Intel Pentium (or AMD K6-II), with necessary MMX support.
The program abilities
Menu "File":
"Import SAM-file..." (Ctrl+O) - open and load the SAM-file to the program. If the file had
been got from the Windows NT/2000/XP/2003 system and encoded by the SYSKEY (the
encryption is obligative in the Windows 2000/XP/2003 systems, then the program will
additionally ask to open the SYSTEM-file, located in the same directory with the SAM-file:
%SystemRoot%\System32\Config. Copies of these files may be also located in the
%SystemRoot%\Repair and %SystemRoot%\Repair\RegBack directories.
"Import PWDUMP-file... - open and load to the program textual file with hashes in the
PWDUMP format. Usual format of hashes in these files is following:
User_name:RID:LMHash:NTHash:Account_description::
for example:
BillG:1010:5ECD9236D21095CE7584248B8D2C9F9E:C04EB42B9F5B114C86921C4163AEB5B1
:::
The same format of information is kept by other programs, for example, LC4.
Project created by: K. Stewart
"Import local machine SAM" - import hashes from the SAM-file from the local machine. To
perform operations from this menu run the system logging as Administrator.
"Using LSASS" - import local hashes using connect to LSASS process.
"Using Scheduler" - import local hashes using system utility Scheduler, which has the
SYSTEM-user rights.
"Export to PWDUMP-file..." (Ctrl+S) - export data to the PWDUMP format (this format is
described above). This file may be easily loaded to any program to recover the password.
Menu "Edit":
"Mark all users" (Alt+M) - mark all users. Only users which have no passwords found, may
be marked.
"Unmark all users" (Alt+U) - unmark all users.
"Delete all users" (F12) - delete all imported users.
Menu "Tools":
"Check password" (F2) - check passwords for all imported users. In the "Password:" field
enter the password and choose this menu (or press F2). Then the program will check this
password for all users which still have no passwords found. So to check password you don't
need to mark users.
"Generate LMHash and NTHash..." (F3) - generate LMHash and NTHash using known
password. In the "Password:" field enter the password and choose this menu (or press F3).
Then the LMHash and NTHash to match the password will be displayed in dialogue.
"Hidden mode" (Ctrl+Alt+H) - "Hidden mode" of the work of the program. With this option
chosen program will disappear from the screen and taskbar. To return to visible mode press
the same key combination.
"Language" - choose interface language. There's list of all found in the program work
directory language-files in this menu.
Menu "Search":
"Brute-force attack":
"Start(Stop) on LM Hashes" (F5) - start/stop brute-force attack on LM Hashes. To start
brute-force attack mark users to recover passwords from, and press F5.
"Start(Stop) on NT Hashes" (F6) - start/stop brute-force attack on NT Hashes. To start
brute-force attack mark users to recover passwords from, and press F6.
"Options..." - full brute-force attack settings to choose character sets for the brute-force
attack and to set minimal and maximal password length.
"Mask attack": (this menu is unavailable in the Demo-version).
Project created by: K. Stewart
"Start(Stop) on LM Hashes" (F7) - start/stop mask attack on LM Hashes. To start mask
attack mark users to recover passwords from, and press F7.
"Start(Stop) on NT Hashes" (F8) - start/stop mask attack on NT Hashes. To start mask
attack mark users to recover passwords from, and press F8.
"Options..." - mask attack settings to shape mask for the passwords being recovered and to
set maximal length of the password to recover. Mask setting carries the following: if you don't
know the N-character in the password, set N-flag of the mask and in the textual field
accordingly set the mask for this character. The program uses the following masks:
? - Any printable symbol (symbols codes: 32...255).
A - Any Latin capital (A...Z).
a - Any Latin small (a...z).
S - Any special symbol (!@#...).
N - Any digit (0...9).
X - Any symbol from the user's character set.
If you already know one of the characters in the password, type it in the N-field and remove
the mask flag.
"Dictionary attack":
"Start...(Stop)" (F9) - start/stop dictionary attack. To start working just choose the textual
file of the dictionary and program will start to check every password from the dictionary file for
all users which still have no password found.
Additional information:

In the left bottom of the window there's textual field "Password:" to:
- set initial password for the brute-force attack and mask attack;
- enter the password to check and to form LMHash and NTHash;
- display current password worked on.



During the work the program displays the speed of the work as: N * X p/s, where N quantity of users being worked on at the same time, and X - brute-force attack speed
(or mask attack speed) for each user.
If quitting the program you hadn't stop the brute-force attack, then next time
launched program will continue from the latest checked password.
The program supports the sorting of the data loaded. Just click the left mouse button
on the table header to sort.
Program limitations:





Maximal length of the password for the LMHash brute force attack and mask attack 14 characters.
Maximal length of the password for the NTHash brute force attack and mask attack 32 characters.
Maximal length of the password for the dictionary attack is 128 characters.
Maximal length of the password in the "Password:" field is 128 characters.
Maximal quantity of users to work on is 4096.
Project created by: K. Stewart
Once SAMinside is installed it will look like this screen shot:
Project created by: K. Stewart
Using the import local machine SAM function you can bring in the SAM file from the
host machine.
Depending on the machine it may take a few minutes to gather the SAM file information.
Project created by: K. Stewart
Once all data has been gathered it will display the information like the following
screenshot. (Remember that appearance will change depending on the OS and the data
gathered.
Project created by: K. Stewart
Once the data has been gathered you can either close the program (IT REMEMBERS
THE INFORMATION SO YOU CAN CRACK IT LATER!!!!!).
You can use the start password recovery option to try and crack the password hash.
Project created by: K. Stewart
The time that it takes to crack the password within the limitations of the trail version may
vary from the full version. Remember that the trail version does have limitations.
Finally, have the students compile their data and submit it as a 5 page report. Have the
students include countermeasures for every event they encountered. This lab will show
the importance of a strong security policy and show the weaknesses of most computer
networks.
“The best way to secure a network is to get rid of the weakest element, humans”, Kevin
Project created by: K. Stewart