The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers by Kevin D. Mitnick & William L. Simon

Author:Kevin D. Mitnick & William L. Simon [Mitnick, Kevin D. & Simon, William L.]
Language: eng
Format: epub
Published: 0101-01-01T00:00:00+00:00

10_569597 ch06.qxd 1/11/05 9:20 PM Page 130

130

The Art of Intrusion

Because of the nature of Biotech’s business, access to this information is strictly regulated by the Food and Drug Administration, and the success of the penetration test would need to be the subject of a formal report to that agency.

Dustin also gained access to the employee database that gave full name, email account, telephone number, department, position, and so forth.

Using this information, he was able to select a target for the next phase of his attack. The person he chose was a company systems administrator involved in overseeing the pen test. “I figured even though I already had plenty of sensitive information, I wanted to show that there were multiple attack vectors,” meaning more than one way to compromise information.

The Callisma team had learned that if you want to enter a secure area, there’s no better way than to blend in with a group of talkative employees returning from lunch. Compared to morning and evening hours when people may be edgy and irritable, after lunch they tend to be less vigilant, perhaps feeling a bit logy as their system digests the recent meal.

Conversation is friendly, and the camaraderie is filled with free-flowing social cues. A favorite trick of Dustin’s is to notice someone getting ready to leave the cafeteria. He’ll walk ahead of the target and hold the door for him, then follow. Nine times out of ten — even if it leads to a secured area — the target will reciprocate by graciously holding the door open for him. And he’s in, no sweat.

Alarmed

Once the target had been selected, the team needed to figure out a way to physically enter the secured area, so they could attach to the target’s computer a keystroke logger — a device that would record every key typed on the keyboard, even keys typed at startup, before the operating system had loaded. On a system administrator’s machine, this would likely intercept passwords to a variety of systems on the network. It could also mean the pen testers would be privy to messages about any efforts to detect their exploits.

Dustin was determined not to risk being caught tailgating. A little social engineering was called for. With free access to the lobby and cafeteria, he got himself a good look at the employee badges and set about counterfeiting one for himself. The logo was no problem — he simply copied it from the company Web site and pasted it into his design. But it wouldn’t need to pass a close-up examination, he was sure.

One set of Biotech offices was located in a nearby building, a shared facility with offices rented to a number of different companies. The lobby had a guard on duty, including at night and on weekends, and a familiar

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.