Social Engineering Capture The Flag at DEF CON 26 - Postmortem (Part One)

(Author’s note: throughout this post, I’m going to speak somewhat vaguely about what information I found and where, and I will never say exactly what company I targeted.)

Well, it’s been a little over a month since I had the opportunity to compete in the incredible SECTF at DEF CON 26, so I figured it’s time I wrote up my thoughts on the matter. I intend to do so across several posts. This first installment will cover the initial phases of my research into the company I was assigned.

Before all that, though, I need to extend a very special thank you to Chris Hadnagy and his entire wonderful crew from social-engineer.org, without whom the Social Engineering Village wouldn’t be possible. Everyone involved in making the SE Village a success was incredibly pleasant and helpful throughout the conference, and they did a wonderful job of fostering an environment of learning, sharing, and yes, friendly competition. Some of the best conversations I had between B-Sides, Blackhat, and DEF CON took place in the SE village, and I’m truly thankful for the opportunities they afforded me.

Now, on to my experience in the SECTF. There’s plenty of accounts out there from many other past competitors, so I’m just going to touch on some highlights. First of all, my target was a Fortune 100 company, so right away I knew that their online footprint (including both their own systems and their employees’ online presences) would be massive. I would say that this is a blessing (lots of information to find) and a curse (lots of information to sift through), but honestly, I really enjoy doing open source intelligence/recon work. Let’s hit on some high points of my investigation:

  • Of course, I started with the classic tools for DNS interrogation + general recon: whois, nslookup, and dig. However, the company made sure that their whois record only included generic “AdminContact@company.com”, and no employee names. While this may seem like a given, there are still companies out there putting the real name/employee email of whatever network engineer registered their domain back in the day. (One of my university courses directly called out another university’s error in putting their web administrator’s direct contact information into the university whois record.)
  • I decided to grab a few quick flags by describing the company’s networking environment. Glassdoor, LinkedIn, and other job/career sites are great for finding exactly what kind of DevOps employees and networking engineers a company is looking for. Surprising nobody, they aren’t exactly on the most up-to-date version of Windows Server.
  • After compiling a list of the main technologies used internally, I decided to start targeting employees directly, primarily over Twitter. While it’s worth pursuing multiple social media platforms, Twitter has an awesome advanced search feature that nobody seems to know about. If you want to learn about just how powerful it is (especially once you start combining different search criteria with boolean operators), click here to watch a great presentation by Tracy Maleeff from the DEF CON 25 Recon Village. Anyway, after combing through Twitter for a while, I was pleasantly surprised by how little information employees were leaking. Typically, you would expect to find at least one employee taking photos at their desk (sometimes selfies, sometimes a delicious snack on their desk, sometimes just the boring gray cubicle) which can reveal information about what technologies are being used by average employees in day-to-day work, as well as potentially sensitive documents on the desk. In this case, however, I found nothing major of note on Twitter. That isn’t to say that social media yielded no results, however. Read on to discover how your favorite social consumption app of 2010 revealed some great information for me.
  • Yes, that’s right, Foursquare ended up being a great source of information. Now, if you still use Foursquare, more power to you. I strongly believe that abandoning technology exclusively due to its age is unnecessary; that’s why I’m still doing math on an HP 15C (well, kind of). Side note, I’m not sponsored, but if Swiss Micros wants to give me a call, I’m here. Anyway, Foursquare. It’s still around and people are still using it. However, unlike when I last used it in 2010/2011, people are now doing more than checking in to coffee shops and restaurants, they are now checking in to their offices. Yes, that means they’re taking pictures along with these check-ins. I’m honestly not sure how I stumbled upon it, but the Foursquare page for the company’s world headquarters was an absolute treasure trove of flags, due entirely to the pictures people took of their offices and the comments they left when checking in. I could honestly build a convincing pretext based entirely off of their musings about the lunches available in the cafeteria; they went into so much detail. I could also create my own employee ID badge based off the badges visible in these pictures. Sure, it won’t buzz me into the building, but it’ll look good enough to prevent random employees in the hall from challenging me.

I apologize for the wall of text, I wanted to throw in some images to break things up but they’d have to be so heavily redacted that there wouldn’t be much point. TL;DR: Your employees are posting information online that could be used by malicious actors. Good luck stopping them.

In part two, I’ll cover more of the research I performed, focusing on internal documents that were inadvertently served to the public. In a future post I’ll also cover my pretexts: how I created them, what pitfalls I avoided, and how I made them believable. Thank you for taking the time to read my somewhat rambling thoughts, and feel free to reach out if you have any questions. –JP

Written on September 17, 2018