This One Time on a Pen Test: Playing Social Security Slots

0

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report.

One time, during a vishing-only engagement, the client gave me several phone numbers to contact, all part of a phone routing system. I wanted to understand what types of support calls the technical support person usually took before I actually chatted with anyone, so I performed OSINT and looked at Facebook, LinkedIn, and other sites to find current employees at the company. I also looked to see if there was any breach data that went along with the client’s name, and while I did find some, I wasn’t sure about how old or reliable the data was.

From there, I began my calls. One of the phone numbers routed me to a technical support person, and when they asked who I was, I pretended to be a specific employee I’d found using LinkedIn. My problem? I just got back from vacation and completely forgot my credentials!

“Totally fine,” said tech support. Since they already had my name, they just needed the last four digits of my Social Security number.

“No problem,” I said.

See, during the OSINT stage, I was able to gather usernames, since the client hosted a website login to its Citrix Portal. Also, the breach data I discovered happened to have several password combinations that appeared to include four numbers at the end, such as “Frank0201.” I took a swing in the dark, picked the LinkedIn user’s last four numbers of their breached data, and held my breath.

“Okay, great!” tech support replied. “I’ve reset your password to ‘Password1.’”

After tech support provided a reset password for this user, I took those credentials to Citrix, and it worked! The only problem now was that the login required answering questions the user had previously set up. Time for another call to tech support! I told them the questions I saw didn’t look familiar and asked if I could reset them. Again, no problem—they just needed my Social Security number.

Now that the security questions were reset, I was able to successfully log in to the client’s Citrix portal. With this kind of access, I was able to login to a virtual desktop infrastructure via Microsoft Remote Desktop. From there, I was able to search a server file share for the words “password,” “passport,” “HR,” “Social Security,” and more. I got every single one.

I told the client what had happened, and they weren’t pleased to hear that their after-hours support likely didn’t even look up and verify the Social Security number. Because, as it turned out, the number I had provided wasn’t even correct.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.

Category: asked May 19, 2022

17 Answers

0
What do you know about darknet? I am more than sure that you know very little if anything at all. So if you are interested to learn more and how you can use it to your benefit, I know how you can get more information. Visit https://t.me/lookupsalazar to order any services related with darknet. You will get a profound consultation to decide what to do next.
0
I have been searching to find a comfort or effective procedure to complete this process and I think this is the most suitable way to do it effectively. Polypropyleen zwembad
0
so happy to find good place to many here in the post, the writing is just great, thanks for the post. Zwembad tuin
0
This is really very nice post you shared, i like the post, thanks for sharing.. Biotop zwemvijvers
0
I've been looking for info on this topic for a while. I'm happy this one is so great. Keep up the excellent work Aanleggen zwembad
0
Hi buddies, it is great written piece entirely defined, continue the good work constantly. Polyester zwembad
0
Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!! Zwembaden Antwerpen
0
A great website with interesting and unique material what else would you need. Monoblok zwembad
0
Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. PP zwembad
0
I really enjoyed reading this post, big fan. Keep up the good work andplease tell me when can you publish more articles or where can I read more on the subject? Tuinaanleg
0
Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! Zwembad aanleggen
0
Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!! Zwemvijvers
0
Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. Monoblok zwembad
0
Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab your rss feed to stay informed of any updates. Zwemvijvers
0
Hi, I log on to your new stuff like every week. Your humoristic style is witty, keep it up Zwembad laten aanleggen
0
A great website with interesting and unique material what else would you need. Zwembaden op maat
0
Hello! I just wish to give an enormous thumbs up for the nice info you've got right here on this post. I will probably be coming back to your weblog for more soon! Zwemvijver aanleggen