Posted by: Jeromie Jackson
92071, 92101, air conditioning, HVAC, Impersonation, pentest, Ruse, san diego, social engineering
I recently was talking with the owner and a few of the repairmen at County Heating & Air Conditioning. I’ve used them for years both repairing and installing equipment for me in the past and definitely recommend them.
As we talked, and they were in their outfits, I realized this would be yet another great ruse for me to use. During my social engineering engagements I’ve posed as a property manager, a reporter, a delivery guy, and various other vendors. I had not thought of being the Air Conditioning Guy! Looking up in ceilings, wielding ladders, accessing the roof, and walking through various suites would be normal routine for them. Hatcams would look like normal business attire. Accessing the ceilings would quickly validate if the datacenters have walls protruding all the way to the roof, or if it would be easy to jump over through the drop-ceiling. Backpacks, toolbags, and other electronic devices are often carried around without question.
When profiling a site I take into account the primary environmentals- electricity, water, & HVAC systems. In particular I’m looking to identify manufacturers, model #’s, locations, and security associated with chillers, pumps, air handlers, fresh air intakes, gravity exhaust dampers, and fire system interfaces. The information can then be used to identify threats, vulnerabilities, and risks associated with the equipment, and potential entries after hours. Own the role when you are working a social engineering engagement. If you are a repairman feel confident in your shoes and do not back down to any trivial questioning from staff.
Always be cautious of unescorted visitors in internal office spaces. Badges for all on-site is preferable, escorted is recommended, and certainly question visitors. I look forward to my next onsite social engineering engagement-