Hacking_and_Penetration_Testing_with_Low_Power_Devices
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Installing devices<br />
221<br />
example, wearing blue coveralls <strong>and</strong> trying to pass yourself off as being <strong>with</strong> Bell-<br />
South in Atlanta, Georgia, is likely to be much less successful than wearing the same<br />
<strong>and</strong> claiming to be from British Telecom in London.<br />
Successful pretexts can vary widely. One of the simplest pretexts is to pretend to<br />
be a customer or potential client. This is not likely to get you much access, but in<br />
some cases, it may be enough to plant a drone or two inside the office. If you are<br />
going to plant devices in the middle of the day, you need to be quick <strong>and</strong> discrete.<br />
If you are going to risk planting things in the office, you might want to focus on wall<br />
or USB-powered devices if your test will run for more than two days (the approximate<br />
run time for a drone on D cell batteries).<br />
On the more sophisticated end of pretexts, you might impersonate a worker or job<br />
applicant. Getting a job <strong>with</strong> the cleaning subcontractor might take a while <strong>and</strong> might<br />
be harder than it first appears thanks to bonding issues <strong>and</strong> government regulations.<br />
Leave getting a job as a cleaner or abducting workers to gain access to the facility<br />
after hours to the movies.<br />
It is unlikely that most companies will perform any sort of background check<br />
prior to interviewing job applicants. Preemployment tests of programming <strong>and</strong>/or<br />
software design skills are fairly common when applying for software positions.<br />
Applicants are typically left alone during these tests. Take care not to perform too<br />
well on these tests. If you look like a top c<strong>and</strong>idate, it could extend your time in<br />
the office <strong>with</strong> no benefit to you.<br />
DON’T WASTE YOUR TIME<br />
When being the best isn’t best<br />
I cannot overemphasize the need to be mediocre when taking any tests. You want to be forgettable<br />
<strong>and</strong> to give the target little reason to waste your time <strong>with</strong> an interview. If you perform well, they<br />
may well decide to extend the interview <strong>and</strong>/or bring in more people to the interview.<br />
I once went to an interview over lunch. The company gave me a ridiculously long C++ test.<br />
After spending a good hour <strong>and</strong> a half on the test, it was time to start the interview. I spent another<br />
half hour answering questions on my impressions of the test. It turns out I was the first to take<br />
the test.<br />
When the interviewer told me two hours into the ordeal that my salary requirements, which had<br />
been clearly stated beforeh<strong>and</strong>, were ridiculous <strong>and</strong> that nobody made that kind of money (despite<br />
being equal to my current salary at the time), the company’s true motives for bringing me in for an<br />
interview became clear. They were looking for a senior C++ developer <strong>with</strong> a decade of experience<br />
to validate <strong>and</strong> give them feedback on their test. They had no problem wasting over two hours of my<br />
time to get a free assessment. Remember to miss some questions on any tests so this doesn’t happen<br />
to you.<br />
While all of the stuff described above might sound like fun, if your target is using<br />
wireless networking, it may be unnecessary. I do not want to discourage you from<br />
trying to plant a few wired drones. Rather, I would hope you realize that wired drones<br />
in the building are not a requirement for a successful penetration test.