pull down to refresh

Social Engineering Practice 0x03
1717 sats \ 45 comments \ @ek 26 Mar security

Social Engineering Practice 0x03

whole series: #1, #2
Consider this to be a pen&paper game.
Recently, you attended a housewarming party at a friend’s new place. They had just moved into a stunning high-rise apartment with strict access control. To get on your friend's floor, you had to check-in with the concierge and tell them the name of your friend, who would then unlock the elevator for the specific floor they were on. You couldn’t just press buttons yourself. As far as you could tell, they did not call your friend first before they let you up. But it could be that the concierge already knew that there was a party going on.
Around 11 PM, we decided to head down to the 8th floor, where there was an outdoor terrace and a pool. We had to stay with the host because only they could operate the elevator. The pool looked really nice.
A few days after the party, you started to wonder how you could get back on that floor without involving your friend in any way. You don't want to get them into unnecessary trouble.
But how would you do it?
5,000 sats bounty
write
preview
ek's bounties
17 replies \ @ek OP 26 Mar
Update
I have been to the building today and I noticed that there's an unguarded backdoor with an elevator inside but the elevator only goes up to the 7th floor:
backdoor elevator
I didn't try the buttons but it looks like it will require a card since there's a reader. There was also a door to the staircase but it was locked.
However, that doesn't matter because I was able to enter the staircase and all floors I could have reached via this elevator through the front anyway: I entered the lobby and asked if I can wait here for my friend. The two guys in the lobby said 'sure.' After a minute or so of me "waiting" on the couch, I then asked if there's a restroom I could use. This is how I broke contact to try to explore the ground floor more freely, but there were also cameras everywhere.
When I left the restroom, I realized that the door to the staircase was literally the next door and it was indeed unlocked, so I quickly slipped through it and escaped the cameras.
staircase, first floor
After reaching the 8th floor, I noticed that the access to the 8th floor was locked like this:
staircase, 8th floor
This made sense because all the other floors were accessible via a car park anyway (see the buttons labeled P1-P7 in the first image).
What confused me was how the card reader was on the opposite wall of the door and not next to the door as on every other floor but I think that doesn't mean much.
door on floor 1-7
After I made my photos to do some research at home, I left and entered the 7th floor (doors were unlocked). I then noticed that the main elevators have buttons only outside, but none inside:
elevator touchscreen with only ground floor available ...
... with no buttons inside
I pressed 'ground floor' and left the building after that.
While writing this, I wonder what happens if you just smash a card reader. Not that I would actually try it, but I think it's somewhat reasonable to assume that if a door were only locked by a card reader, the door would unlock as some case of safety mechanism. But since the door can also be locked via a regular key (and the card reader probably simply controls the bolt as an more convenient method to unlock the same mechanism), one would still need to pick the lock.
My conclusion is that getting to the 8th floor definitely needs more sophisticated social engineering techniques than simply taking the stairs.
Nice idea @grayruby though!
reply
159 sats \ 0 replies \ @SimpleStacker 27 Mar
Dude I think you should reward the bounty to yourself haha
Though I guess you didn't actually get to the 8th floor... yet...
reply
119 sats \ 2 replies \ @SimpleStacker 27 Mar
With this great recon, it seems like it would be more fun to try a non-social route.
First thought is lockpicking. Check out the lock again, look for the manufacturer and see if you can buy the same model. Then practice on it at home until you can lockpick it pretty quickly.
Another thought is to check the vendor of the elevator control panel. Then look for known security vulnerabilities. Maybe there is a way to clone a guest access keyfob, or there's a special access code for maintenance? This is probably less likely to work, but if it does it will be the most fun way to pwn the system.
Another possibility is that after you check out the system specs, you see that it does not track the identity of the keycard users. If that's the case, then you can just clone your friend's keycard and use it, it won't be traced back to him.
Social approach may depend on whether you want to get access to the 8th floor alone, or is crashing a party ok? Seems like the guard doesn't really check your credentials if he knows there's a party going on. So just ask your friend to tell you next time another tenant is hosting a pool party, then tell the guard "I'm here for the pool party." Just make sure you dress really cool and look the part when you do it. (This also involves your friend, but not in any way that can be traced back to him.)
reply
0 sats \ 0 replies \ @LibertasBR 30 Mar
I was going to mention that about the system. I think it’s the best approach, along with lockpicking.
If you get a card with the same key, that’s enough. No one will question you.
reply
0 sats \ 0 replies \ @ek OP 30 Mar
First thought is lockpicking. Check out the lock again, look for the manufacturer and see if you can buy the same model. Then practice on it at home until you can lockpick it pretty quickly.
this is a cool idea, I haven't thought of that! I wonder though if you can pick a lock that is additionally secured by a card reader. But a lock itself can be pretty hard to pick, too. I once had to get a door fixed and I used the opportunity to ask the artisan about locks and he showed me all the security features of my lock. I quickly lost hope to ever pick that lock, lol.
Another thought is to check the vendor of the elevator control panel. Then look for known security vulnerabilities. Maybe there is a way to clone a guest access keyfob, or there's a special access code for maintenance? This is probably less likely to work, but if it does it will be the most fun way to pwn the system.
Also very good idea but I need someone else's keyfob first unless it's really insecure. But it's definitely worth looking into!
is crashing a party ok?
Good question! Imo, it's okay. It does not get my friend into trouble and I simply want to get on the 8th floor. I don't even really want to stay there and get in the pool. I just want to prove to myself that I could get up there on my own.
So maybe I can just try to find a way to see if there's a party going on there so I don't even have to ask my friend.
reply
100 sats \ 11 replies \ @grayruby 27 Mar
Damn you are really taking this mission seriously. I think you should try to figure out how to clone a key fob. Haha
reply
20 sats \ 10 replies \ @ek OP 27 Mar
I am not here to fuck spiders
reply
57 sats \ 9 replies \ @grayruby 27 Mar
I don't know that saying.
reply
44 sats \ 8 replies \ @ek OP 27 Mar
Wow, it’s one of my favourite things to say! @cryotosensei can confirm.
It’s Australian slang that means that you’re here for serious business, see this article.
Edit: Ok, that was a quite short article. Here is the definition from Urban Dictionary.
reply
64 sats \ 7 replies \ @cryotosensei 27 Mar
It’s also one of my favourite things to say!
Join the club, @grayruby
view all 7 replies
0 sats \ 0 replies \ @holonite 27 Mar
Escape Elevator - Season 2
Directed by: @ek Produced by: @ek Cast: @ek Lead Voice Artist: @ek
On cinemas from 28th March.
reply
130 sats \ 2 replies \ @LibertasBR 26 Mar
Since you didn't describe security systems, I don't see any alternative other than social engineering. I think you can get information at the reception desk by posing as a resident. Go in before the shift change or by phone and say that you are a new resident and that you are throwing a party and ask how guests are allowed to enter. Do they need to call in advance or is a list enough? Is visitors allowed as well? Depending on the availability of the person you are talking to, you can mention the 8th floor and how this area is reserved for residents.
Another solution I thought of is to research a unit that is for sale and pose as the agent for the unit. Ask someone else to call in advance, posing as a resident, and say that the agent will go to the unit with potential buyers who want to see the building and the common areas.
The problem with all this is the surveillance, in any case they will know that you are there for a short time and that you shouldn't be wandering around.
How your friend accessed the floor is an important question that can change the answer.
reply
19 sats \ 1 reply \ @ek OP 30 Mar
I think you can get information at the reception desk by posing as a resident. Go in before the shift change or by phone and say that you are a new resident and that you are throwing a party and ask how guests are allowed to enter. Do they need to call in advance or is a list enough? Is visitors allowed as well? Depending on the availability of the person you are talking to, you can mention the 8th floor and how this area is reserved for residents.
I think this approach is way too risky. Asking for all kinds of information about how 'guests' can enter would likely lead to a longer conversation, making it easy for them to eventually realize that I'm not actually a new resident. New residents probably receive all the necessary information in their contract, so that would likely be their first question:
Sir, have you not read the contract?
At that point, you've lost the initiative and are now the one answering questions instead of asking them. You either need to be extremely well-prepared—which comes with opportunity costs—or they'll quickly become suspicious. A social engineer should enter and exit the building without raising any suspicion.
To make this a lot less risky, you could call them with a fake number so they at least haven't seen your face when things went south. But still not effective imo.
Another solution I thought of is to research a unit that is for sale and pose as the agent for the unit. Ask someone else to call in advance, posing as a resident, and say that the agent will go to the unit with potential buyers who want to see the building and the common areas.
Also too risky. You're trying to impersonate people that usually already have established a relationship with them beforehand. But you just showed up, so that's very suspicious. Same with the "new resident" approach: they probably know the faces of their new residents or at least have a list with all of their information including their face at hand.
The problem with all this is the surveillance, in any case they will know that you are there for a short time and that you shouldn't be wandering around.
I think the main problem is that this seems too much like out of Hollywood. This ain't Hollywood, this is real life with real consequences.
Still thanks for the answer though! Gives me a chance to explain how I think about approaching this situation.
reply
0 sats \ 0 replies \ @LibertasBR 30 Mar
I thought of different approaches to achieve the goal. When you said it was a real case, I had already sent my response and didn’t want to change it lol.
Well, in this scenario, and considering your update, it’s clear that security is well-prepared in blind spots—they have a great security expert. I still think my approach is valid, though it would need a lot of additional details and refinements, especially if the goal is to gain access only once.
Since you managed to reach the 8th floor via the stairs and the door has a simple lock, wouldn’t a lockpick be viable?
I can only think of approaches that allow you to access the place once, like cloning your friend’s NFC card or even trying to get a duplicate.
An opportunity might be to enter during an event, but that would be a risky move—you’d be burning a chance and might get sent back by the host.
reply
115 sats \ 1 reply \ @WeAreAllSatoshi 26 Mar
This is like Mr Robot training, I like it!
Still mulling over an answer
reply
30 sats \ 0 replies \ @ek OP 26 Mar
This is like Mr Robot training, I like it!
Definitely heavily inspired by Mr Robot 👀
Still mulling over an answer
To be honest, this time I don't have an idea that I think would work without risking too much myself
reply
105 sats \ 2 replies \ @holonite 26 Mar
(if i win please sats not CCs 😭)
Access Control System:
  • The elevator is locked, and only residents (or authorized guests) can select floors.
  • The concierge has some level of control, but they might not always verify with the resident.
So,
  1. If the concierge recognizes guests for parties without calling up, you might be able to return by acting like a guest for a different resident.
    2 If someone who lives on the 8th floor enters the building and uses the elevator, you could discreetly join them.
  2. If the terrace is a common area, residents may go there often, and you could time your arrival with one of them.
Additionally, I think the following might help:
  1. Many high-rises have stairwells that allow movement down but not up. If you could access a higher floor and find an unlocked stairwell, you might be able to walk down to the 8th.
  2. If the concierge didn’t verify with your friend last time, they might allow access again with a confident request.
  3. Pretending you "left something at the terrace" might work if the concierge is lenient.
@ek
reply
5 sats \ 1 reply \ @ek OP 26 Mar
if i win please sats not CCs 😭
I always send sats, it’s up to the receiver to have a properly working lightning wallet when I zap them.
Pretending you "left something at the terrace" might work if the concierge is lenient.
I like this!
reply
0 sats \ 0 replies \ @holonite 26 Mar
thanks :)
reply
33 sats \ 5 replies \ @grayruby 26 Mar
Take the stairs.
reply
45 sats \ 4 replies \ @ek OP 26 Mar
I'll check out the building tomorrow and will report back if it's really that easy lol
reply
75 sats \ 3 replies \ @SimpleStacker 26 Mar
wait, so you had a real place in mind? haha
my first thought was stairs too, but I figured a hypothetical scenario like this you'd tell us the stairway doors are locked. But in reality, there's a pretty good chance they're not
reply
130 sats \ 1 reply \ @grayruby 26 Mar
Stairs access probably isn’t locked but access to each floor from the stairwell might be. A building I used to live in was that way. You could freely access the stairs you need a key fob to access the floors from the stairs.
reply
70 sats \ 0 replies \ @ek OP 27 Mar
posted an update in #926316
reply
40 sats \ 0 replies \ @ek OP 26 Mar
wait, so you had a real place in mind? haha
Yes, with a real pool 👀
my first thought was stairs too, but I figured a hypothetical scenario like this you'd tell us the stairway doors are locked.
I would think so but I’d rather make sure first. Let’s see what I can find out tomorrow on my way to work without risking too much.
reply
21 sats \ 2 replies \ @Aardvark 26 Mar
Bribe the concierge?
reply
42 sats \ 1 reply \ @ek OP 26 Mar
How much? And how would you start the conversation?
reply
100 sats \ 0 replies \ @Aardvark 26 Mar
Starting a conversation is never really that hard. Just start asking him/her about themselves. Ask about their job, ask about what type of people are the worst to deal with etc.
As far as how much? Depends on how much I wanted to get onto that 8th floor.
reply
0 sats \ 0 replies \ @holonite 29 Mar
@ek did you not decide the winner yet?
reply
0 sats \ 0 replies \ @kurszusz 26 Mar
You check in with the concierge in your work clothes and claim you're going to clean the pool on the eighth floor.
;)
reply
0 sats \ 0 replies \ @carter 26 Mar
A stealthier option is exploiting a delivery loophole. Order food or a package to a resident on the 8th floor—find a name via mailroom observation or a quick “forgot my floor” chat with the concierge beforehand. Pose as the delivery person, get buzzed up, and “accidentally” linger by the pool. You’d need to scope out a resident’s name first, which might take some recon, but it keeps your friend out of it.
reply
0 sats \ 0 replies \ @Roll 26 Mar
Return on a different day, tell the concierge: I'm visiting Friend’s Name on their floor. If they unlock the elevator, ride it to your friend’s floor—but stay inside and press 8 before the doors close. Since the elevator was already authorized for that floor, it might bypass re-authentication.
reply
0 sats \ 0 replies \ @stack_harder 26 Mar
if it was a friend, I would ask to make a copy of the magic keycard so i could just slink in whenever
if it was a friend and i was a sociopath, i would just make a copy of the elevator key card. I'm sure there's tech that does it
reply
0 sats \ 0 replies \ @unschooled 26 Mar
I assume the elevator uses a sort of keypass? Go in soaking wet wearing nothing but your swimsuit and holding your phone. You can put on a swim cap and goggles for your disguise. Pretend to be really annoyed. Tell the concierge that you had been swimming when you got a call from your daughter/sister/wife (any woman close to you) that she'd thought she was going into labour but it was a false alarm. Say something borderline mysoginst and passive aggressive as this will help in creating the illusion that you're a dolt. It will be obvious that your keys are in the pool locker room and he'll have to let you up.
reply
0 sats \ 2 replies \ @Coinsreporter 26 Mar
reply
0 sats \ 0 replies \ @holonite 26 Mar
😂
reply
0 sats \ 0 replies \ @SimpleStacker 26 Mar
reply
0 sats \ 0 replies \ @Roll 26 Mar
deleted by author