In 1999, two psychology professors from different universities performed an experiment called the “Invisible Gorilla.” Their names are Christopher Chabris and Daniel Simons, and the premise behind their experiment was that human beings are naturally quite selective in what they pay attention to during a normal day. That selectivity can actually be tuned so targets will see what you what them to see and, with a high degree of success, not see what you'd like them to ignore. This is called selective attention.

In the experiment, you, as the observer, are watching six college-aged kids passing basketballs in front of some elevators. Three of the players are wearing white shirts and three are wearing black shirts. You're asked to count how many times the players in white shirts pass the basketball. And while the task sounds simple enough, and you're likely to get the correct answer to the question asked of you, you're also likely to miss the fact that a person in a gorilla suit walks right through the group of students, pounding its chest before moving off the opposite side of the screen.

You can find out more about the experiment, and watch some of the videos at www.theinvisiblegorilla.com. But since you, the reader, are already aware of the outcome, it might prove more fun to have one of your friends watch the video without telling them the punch line.

In reality, selective attention is a great way to engineer people's reactions and motivations. As a more practical example, consider for a moment why casinos in Las Vegas make you walk through the gambling areas and high priced shopping to get to your hotel room after check-in. Additionally, when you're bored, standing in line at the grocery store, how many times did you buy the candy bar? Or how many times (if you can count that high) did your children desperately want that toy on the bottom shelf at the checkout line? These are methods for keeping your attention elsewhere, to increase the chance that you'll spend more money and forget your wait in line.

Generally speaking, great hackers can use this to their advantage as well. If I can draw your attention to one thing, it means you're not paying attention to something else. This can also be referred to as distraction.

One of the core concepts of magic is to distract your audience so you can do something else while they're not paying attention. We've discussed magic in this book previously because it ties in well with what we're trying to test for in the security world. When was the last time you watched a magician perform a trick live? Can you recall the reaction of the audience? Was it surprise? Shock? The great part about this example is that the audience knew this was going to be a magic trick, and it still took them by surprise.

Let's take this one step further and not tell the audience about the trick or the magic. In fact, let's not even tell them they're an audience or we're a magician. At this point, the trick, when performed correctly with distraction and practice, should go completely unnoticed. Remember, our goal is to get the user to do something (help us install malicious software and bypass security mechanisms) while ignoring something else (the threat we could pose to the organization as an unknown person with unknown motives).

In a 2004, Robert Cialdini wrote an article for Scientific American entitled “The Science of Persuasion.” In his work, the author discusses the underlying interactions between human beings that can be manipulated in such a manner to increase the chance of a positive response from a target. As a penetration tester, we can use these same concepts to ensure our efforts are rewarded with success.

In the article, Mr. Cialdini states, “Six basic tendencies of human behavior come into play in generating a positive response: reciprocation, consistency, social validation, liking, authority, and scarcity.”¹ So, from our perspective, in order to best penetrate an organization, we'll want to utilize these human tendencies when interacting with the employees of an organization in ways they'll understand instinctually. This touches on the social engineering concepts we've covered previously in this book. As you'll see in the case study later in this chapter, we use this concept to limit the chances we'll be confronted during our work. For example, actions as simple as looking and acting as though we have the appropriate level of authority to conduct an action, giving the target something tangible (such as a USB drive or CD), and being polite by offering the target a compliment help build trust and allow us to influence the behavior of the target. You'll see a demonstration of how a team can use these methods when we cover the case study later in this chapter.

At this point, if you've been around the security industry for any amount of time at all, you've likely heard the tale of “the guy who knows a guy that scattered USB thumb drives through a target parking lot, only to have the users pick up the drives and plug them into their computers.” It's a consistent story, and it's been around for a while, even if no one is actually certain who started it.

This technique has worked fairly consistently in the past. Your team buys some inexpensive thumb drives, installs some nefarious software on the drives, and places the drives in conspicuous places in the parking lot. USB drives have value to users because they're small, they hold data, and, frankly, they're cool. Over time, however, as this story has spread and been introduced into security awareness discussions and training, users have grown suspicious of random, unknown USB drives. As a penetration tester, that means we need to adjust our attacks to appear trustworthy to the users again, and we'll cover more about this later in the chapter.

First, let's look at some basic USB storage devices that might be useful to us during our testing. The first is the normal USB thumb drive. They range in size from about an inch to an inch and a half long, as shown in Figure 6.1. The storage capacities of these devices is sufficient for small payloads (such as a self-loading Trojan or key logger), or they can accommodate entire bootable Linux distributions. The payload you use should be determined by your end goal and your rules of engagement. And since these devices are so popular, most operating systems will auto-mount, auto-load, and/or auto-run content from them without much in the way of user interaction. This will be important later, when we're considering our strategic options for compromising the organization.

The next type of USB device is much smaller, and in my opinion, much more dangerous for users. If you recall from Chapter 1, we discussed the use of key logger devices that attach to the keyboard plug on the back of the computer. These devices look as if they belong there and don't draw attention to themselves. But, from my perspective, they're still larger than I'm comfortable with during a penetration test.

Looking at Figure 6.2, we see another version of the USB drive that is significantly smaller and can actually utilize a variety of storage chip sizes. This means we can create an 8 GB, a 16 GB, or even a 32 GB USB device without ever changing the actual hardware. And the storage cards we use in the device can be preloaded with specific types of deliverables, based on our needs.

In Figure 6.2 you'll see an image of the small USB device (it looks like those small USB dongles used for wireless mice and keyboards). Next to the device, I've placed several different micro SD cards, which are used as the memory for the device. One of the micro SD cards is shown sticking out of the slot, so you can get a better idea of how the memory slides into the device. And finally, I've included a dime so you get a better perspective of the size of the device.

CD-ROMs and DVDs are a popular medium for users. They can store music, documents, pictures, or other digital media, and they're fairly inexpensive. Most modern computers can utilize these discs without any extra software, and most operating systems can auto-run these types of devices.

For comparison purposes, CDs can hold up to 700 MB of data. This would be a great size for storing data with embedded Trojans or other malware, even with a fully bootable Linux operating system. On the other hand, DVDs have a capacity of roughly 4.4 GB, once all is said and done. In this instance, you can create the same bootable Linux operating system and include a much larger store of software that allows you to bypass any operating system—level restrictions or to compromise the data on the hard disk itself.

Again, which one of these options we end up utilizing depends entirely on the mission goal. If we're looking for a quick, user-level compromise, then we're probably better off using the less expensive CD-ROMs. If we're going for a full system compromise, where we intend to exfiltrate or modify data on the hard disk and need the larger collection of tools, we'll probably want to use the DVDs.

One of the first things to think about is the target organization itself. What type of organization is it? Where is the organization located? What are the primary organizational mission goals? Where will the team move in on the target? Will it be at the office building itself? Is it at a conference location? What types of employees will we likely encounter during the work?

Users tend to be more relaxed and less on their guard when they're off-site than when they're at work. Now, that doesn't mean users are going to be alert and reliable when a stranger is in their work area; it just means they're likely to care more than they will when working off-site. So the best location to target users will normally be outside their normal working environment. Conditions are different and new. And most users won't know what's normal for those environments, making them less suspicious.

If you're forced to conduct the project at the customer organization, your team will need to be more detailed in planning stages and conform more to the cultural norms of the organization. Your language, manner, and approach will have to be tailored to match the environment. When done correctly, on-site penetration projects shouldn't be much more difficult for a seasoned professional.

Another alternative is an off-site meeting or gathering of employees. Good examples are fund-raising carnival days, team-building exercises, and even charity work performed by employees as a group. They still work for the organization, but they're out of the office and less likely to be security conscious.

The strategy is our game plan. It's how we'll approach the users, gain their trust, and get our software installed on their computers. The strategy has to take the location and the mood of the users into account. A good example of this would be a product convention in Las Vegas versus an executive meeting at an Atlanta hotel. The product convention is likely to include employees from all ranks of the organization, whereas the executive meeting is more likely to be attended by folks in formal business attire. Also, Las Vegas tends to foster that “what happens here, stays here” mentality, where employees are more likely to let their guard down and enjoy themselves. An executive meeting held at a nice hotel in Atlanta is less likely to foster this type of attitude.

The strategy we choose needs to fit with the location, target audience, time, and wariness of our targets. We can snail mail our payload to the target in custom packaging that makes it look more official (thus more likely to be opened and trusted). Another option to get the payload into our target's hands is to present it as a perk of a conference or convention. In some instances, we can use our newly developed social engineering skills to get third-party individuals to pass along our surprise for us (hotel staff, conference staff, human resources, etc.).

Since our penetration projects will be different, each of our approaches will be customized to the organization we're targeting. Your team will need to be flexible and creative. Consider all possible alternatives, because you can be fairly certain the target organization hasn't.

The technology should fit together with whatever plan you've decided on. They're like pieces of the same puzzle. If you try to use technology that doesn't fit into the story you've created and that you're walking your target through, it will stand out and is more likely to look suspicious. CDs may be more useful in situations where it's a public venue and needs to appear mass produced, such as coupons, tourist information, or home business opportunities.

USB thumb drives cost more, and people will know that, so trying to hand someone a USB drive with “Atlantic City Tourist Information” on it will appear suspicious. We want to save the high-cost deliverables for those instances when we're working with a smaller target audience, and we want the impression to be personal, as if we're trying to earn that person's business.

In those cases where we have physical access to the target organization's building, we can use the micro USB drives, CDs, or something similar. These allow us to plug into the USB port on target systems and either automatically install our own software or reboot the computer into a customized operating system that will allow us to mine data from the resident hard disk.

The penetration team members decided that they would attempt to look like employees of the company holding the conference and approach front desk personnel with gift bags for employees checking into the hotel for the conference. It was easy enough to provide a list of employees who would be checking in, since this information had been provided on the corporate website. Each gift bag would contain a welcome letter from the conference organizers, valid corporate flyers (also downloaded from the corporate website and printed out), and gum, mints, candy bars, and a custom USB thumb drive that would have the corporate logo printed on it.

In order to approach the hotel staff, the penetration team members needed to look the part of employees from the company. A high resolution image of the corporate logo was found on the website and used to embroider corporate-colored polo shirts. Team members donned these shirts, along with slacks and nice shoes, and approached the front desk. A few minutes later, the hotel registration manager had gladly agreed to hand out the bags to incoming conference attendees.

Each USB thumb drive had been loaded with Trojan software that would install itself on the employee's computer, hiding behind the actual driver installation process that normally pops up when a new drive is plugged in. The Trojan would then attempt to call back to a specific server address on the Internet, alerting the penetration team that a new connection had been created. The information transmitted by the Trojan included the computer's IP address, machine name, and date/time of its installation.

The second method of approach would put the penetration team in direct contact with the conference staff. This time the attack would come in the form of custom-printed CDs that contained information on tourist activities in Las Vegas, including brochures, flyers, and coupons. Included on the CD would be the Trojan, which would auto-load when the CD was put into a computer.

This time, the penetration team would need to emulate hotel staff. The goal was to deliver the CDs to the conference staff while pretending to be from the hotel and state that the hotel likes to provide these CDs to conference attendees as a way to help them enjoy their stay in Las Vegas. Emulating the clothing of the hotel staff was simple, since most employees wore a black polo shirt with tan slacks. Generic gold-colored name badges (that were similar to the ones worn by hotel staff, just without the logo) were created with fake names for each member of the penetration team.

In the morning, on the day registration was supposed to begin, penetration team members donned their uniforms and went downstairs to meet the registration staff. The plan was carried off without problem. The conference staff was immediately drawn into the story provided by the pen test team members and put the CDs on the registration table next to their own handouts. This way, when employees registered for the conference on-site, they could simply pick up all the conference materials and the tourist CD at the same time.

This particular penetration test worked out quite well. And while the scenario itself has been fictionalized to a degree to protect the innocent, it's still valid. The penetration team in this case had set identifiers into each of the two Trojan delivery mechanisms so we could discern how each computer was compromised, by the USB drive or the CD-ROM. The success rate for this attack was around 12 to 13 percent. That means that roughly 10 people installed the Trojan on their computer system so that it reached back across to the Internet to our custom server. That's 10 separate footholds on computers that process, store, or transmit that organization's sensitive information.

Now, what I haven't told you yet is that this particular organization was very security friendly. When I use the term security friendly, I mean to say the organization has a robust security program with annual security awareness training for all employees. This particular target should have been a tougher nut to crack. But as I mentioned earlier in the chapter, a successful low tech hack depends heavily on where and when you approach your targets and how the payloads are delivered. We created a false sense of security using social engineering tactics and delivered our payloads in a manner that was trusted, allowing us to gain access to the target network in all the organization's various geographic locations. Imagine the success rate for an organization that was less prepared and poorly trained.