Anti-social Engineering in Chimps

Disclaimer; whilst I did actually do the things I shall be describing, I did them in my own home, to my own computers with the owner's (Me) permission. You won't find any code here useful for anything but academic curiosity.

Preface

I really ought to congratulate myself first for a truly witty title. Anti-social? Genius. Chimps? Well thats just the icing on the top of a triple-tiered cake of pure excellence. But all back patting aside. The other day I had a thought, how easy would it be for your everyday kid with a net connection to do some damage? How simple are malicious acts to commit? Could a knowledge of basic psychology, a Bruce Schneier-esque book (Or even the real deal) and programming ability give hours of fun?
The obvious answer is yes, maybe with a snort of derision "Do you really need to demonstrate this?". My point is, however, that it shouldn't be. Object Orientated Programming, for example, is such a simple concept; but people tend to gloss over at the eyes when something IT related is explained. Will our average youngster (generalisation, sure) be able to keep up with the concepts and cause some trouble with this in mind?
I really ought to point out, though, that in keeping with the everyday element I decided to develop on Windows, and using C++; a language which I have never touched, and always disdained. (Though I do have several years of C, amongst others, behind me; so this is not quite an achievement, and not quite as large a challenge as in the real world in this situation).
This article will hopefully prove the point that people are generally trusting fools, and a bit of a liability. It should demonstrate simple concepts in social engineering, and the risks therein. It will certainly not teach you anything about programming malicious code, nor will it allow you to suddenly trick your way into computers. I definitely wont be leaving any of the, shall we say, damaging code I used here without obfuscation.

The Ballache

Setting this up was, to be perfectly honest, a bugger. Having never programmed anything for windows with any degree of complexity (I once wrote a tiny program to work out hourly rates and averages for packing benches in the warehouse I worked as an admin in one summer as a student), and certainly nothing which used sockets in anything but Unix, I started off thinking this would be a breeze,
I very stupidly started off with emacs, on a Debian box, writing a very small echo server in C that I would then use to take commands and put them through system(). See? Simple, no need for even a shell, this should be simple proof of concept, no need to worry about fork()/execl() etc., let the OS do the work. I didn't even care about piping back the results of the command. Well, that went out of the window when I suddenly realised W32 probably didn't use Unix sockets ;). Balls. Okay, find a quick winsock tutorial. This is not as simple to code with. Crap.
This, though, kinda cements my original brief, can some horrible little kid take publically available code and adapt it for this sort of thing easily? Because thats what I did. I grabbed a publically available winsock echo back server tutorial and code and used that. An echo back server, as a quick refresher, basically listens, accepts data, then sends it straight back. I have used a python example in the past to demonstrate strace and tcpdump. Even compiling and testing this on Linux was amazingly annoying, too; missing headers and so on. But yes, all more tedious than difficult to solve. In the end, I grabbed a windows box and did it all there. Hell.
Finally, when I realised it was going nowhere, I relented and picked the first thing google found for me that worked and lifted it verbatim. I used a fantasticly written little program found at tangentsoft, a website that, based upon what little use I have had with it, I cannot recommend enough. I know I promised to obfscate the code I used, but there is no point with this, and I'd rather link to their website than steal the code and host it. After that, it was simple enough to change that code to what I wanted, I have put my patches through a quick and dirty script, but you should be able to get the gist. (Basically, put everything into caps and reverse the lines).
I made changes to the provided basic server and to the main method to essentially always start on the same port (above the limit for most scanners) and to put anything received through system() instead of echoing back. Is it sophisticated? Is it beauitful? Is it clever? Nope. Thats not the point though. Or even close. The point was that given working code, it took two or three minutes.

The Bait

Once you have some kind of tool, and have tested it, you need a delivery method. (I say tested, ms telnet behaves rather oddly which made all of this nearly redundant; ms telnet, as best I can tell, sends data as you type it, so pretty much a char at once. That means that the shell on the other end is executing 'd','e','l',' ','*' instead of 'del *'. That being said, had GNU Telnet done the same, writing a client would have been simple enough). There are many delivery methods, but people like to think they're clever, shrewd. People are becoming harder to convince to 'Click Here for Boobies', or 'Free Hollywood Films'. So then, how do we do this under their respective radars? Well, by offering them Boobies or Films, of course!
Because I'm not working at the moment, I'm back living with my mother and sister, and because my old dear works all day, I'm going to target my sister for this little act of subterfuge. I promised you a little bit of basic psychology, and here it is. Social Engineering. What do we know about it? There are more than enough definitions kicking about out there, some of which are more relevant in this case than others, but the gist is by appealing to a person's weaknesses, we can gain information, or access somewhere. I remember being 13 or so, and asking someone their favourite film in order to answer their secret question on hotmail to gain access to MSN messenger and masquerade as them. This in it's self is a good, although unimpressive and unambitious, example of social engineering.
We've all ready taken it as read that sending some link, or email with a link in, is unlikely to get us any results. Luckily, I know something which may do the trick. My younger sister is rather a fan of the Disney channel. I also know that recently there was a Disney Channel original movie come out (She told me, honest) that she didn't get to see. Another thing I know is that I could very easily find the name of this movie (They don't tend to keep them secrets).I also know (what are we at, 4 or 5 things I know? Call mensa) that given the opportunity to watch this film, my younger sister will probably go for a copied CD she finds on the kitchen table, put it into her laptop, click on anything the disk tells her is called 'Wizards: The Movie' and not be suspicious should it error.

Did it Work?

Strictly speaking, I ought really to have had the server fire off a couple of packets in my direction to alert me, or to have had it do something just as illuminating. In the end, I just tried conencting every 30 seconds after I knew it was gone to see if the port was openned. Third attempt and we were laughing. Because I'm quite a nice guy, I didn't actually do anything with it. I knew it worked, I saw the connection was open. I sent a quick eject and that was it, connection dead, server terminated. Of course, a truly malicious bastard would have added that as a windows service, given everything an innocuous name and added it to some bloody bot net.

Social Engineering

The problem is, much of the above isn't really about social engineering. Lets face it, most of it is about how pissed off I got trying to cross compile C, and having to mess about with compilers on a windows box. (MinGW in the end, if you're that bothered).
But lets look at what little we learned about a particular social engineering practice. We learnt that given enough knowledge about a person, we can probably tailor an attack to them. Did we learn anything inadvertedly though? Well, how about the fact that we left the disk out, we didn't hand it over? What would have changed had we done this instead? A similar point was made by Schneier in an article about trust in computing, which can be found here. We can take some of these lessons here; a disk you find is potentially safer than one handed to you without prompting.
Anything else? Well, once again, suppose we had been up against someone a little less, dare I say, dense? What effect does intelligence have here? And should that have been a factor, would it have been possible to appeal to intelligence? Could we have handed it over with a jovial "Don't worry, I wouldn't have tried to trick you. You're far too clever for that!".
Possibly, but in such a situation you're probably going to do it on a wider scale. If we keep with the idea that dropping CDs about is quite fruitful, we need to work to the lowest common denominator. Logically, the best thing in such an attack is to ensure nobody sees who you are. So we may need a new playground here; preferably a large network, hopefully with plenty of regular users with no concern with security, and somewhere to act as a control hub outside of the public eye, as it were.
Back when I was a student, we used to talk, though mainly jokingly, about doing just this. The situation is bang on; plenty of university students who couldn't care less about security, thousands of computers. Suppose we redesign our little program, maybe take aan hour or so to stop being script kiddies ourselves and learn how winsocks work. Could we create what would essentially be tantamount to a bot net? Of course we could. That has never been in any doubt.
No, we need to apepal to the lowest common denominator. Now, call it a generalisation, but as they say sex sells. Suppose we label each disk with 'Porn Collection'. Suppose then we leave two disks in as many computer rooms as possible. Suppose our users put the disk in, are duped into installing. Suppose when nothing pornography related happens, they put it down. Suppose further (A lot of assumptions, but stick with it) that someone else does the same on a different box. Bugger it, even once per disk, so twice per room, we may have enough boxes for what ever nefarious deed we may want to do.

Wot? No Passwords!

Okay, you're not impressed with the ease in which we could set up a bot net over the course of a day? You want passwords and data? Great, how about an update on the old "This is the administrator, whats your password?" scam? Bruce Schneier's Secrets and Lies (If you haven't read it, do!) has a good couple of pages which goes some way to explaining the psychology of this attack better, but the book is 9 years old now (Or at least, time of this article's publication). Do people still fall for such a stupid attack? The answer is a very non-comittal 'Kinda. A bit'. Ross Anderson also details similar attacks in his also fantastic book, Security Engineering.
There needs to be, then, a new way of getting passwords, and it kinda goes back to the email scam. It is in fact touched on slightly in the Schneier book, though I seem to remember reading it in further detail elsewhere; I was sure, actually, that it was in here that it was covered better. But hey, no matter. The idea is that instead of asking for passwords, we pretend to be an automated system suggesting a new password. This is based upon three main ideas:

Appeal to Authority
Weaknesses/ Features in smtp
Pure numbers and the Law of Large Numbers

Essentially, given an official enough sounding email, from an official enough spoofed email address in enough numbers, we should be able to get access to enough accounts. And, of course, this would be all automated heavily. This all sounds very nice, and simple in the real world, but it has been done. Couple it with a kind of 'friendly admin' character, like at Phantom Access in 1993. If we can work out a killer message and sort out a good way of checking whether or not passwords have been changed, we still need to sort find the email addresses to use. That being said, at this point if our largest problem is this, then fair play.

Review

So okay, what have we actually learned from this rambling, somewhat incoherent article that kept forgetting what it was saying? Well, that essentially with very basic programming and a bit of thought, there is no reason why anybody can't take very easy concepts and gain very basic access to systems. Now yes, on large systems it ought to be pointed out you're going to have limited access; you'd still need to suss a way of elevating your account. I got root on my younger sister's laptop (Hey, remember that way up there?), but perhaps there is some correlation between people susceptible to these attacks and people who run with fully elevated privileges.
There is also an obvious correlation between visibility of an attack and victims. Basically put, the more people you target, the more likely the attack will be caught; this isn't a question of likelihood of being reported, or probability of targetting the wrong person. It is more about the flood of emails, or the sudden visibility of someone's porn collection kicking about.
I'm sticking with it though, if any of these malcontent little buggers kicking around on metasploit finds a C++ tutorial and some imagination, the Guardian will crap it's self, and I'll have something new to get annoyed about.