Home

Published

- 4 min read

Strategic Placement

img of Strategic Placement

“Although this article may look an awful lot like ChattyBot, I wrote it myself completely. Lets replace AI.”

Strategic Placement

Today, pretty much all tools and methods are fair game when it’s comes to both Offensive and Defensive Security, especially when we’re talking about Social Engineering.

Using Targeted Ads of the various platforms and providers, like Google Adwords, was already shown in the TV Series Mr. Robot, nowadays we can use this both ways, as attack and delivery method, or using GHunt and other tools to identify someone through their Adwords ID. One step up - in lack of better terms - is the usage of Youtube Videos, made to distract or influence your opponent, followed by creating entire Facebook Groups about a topic, the later being a bit less spear and more broadband phishing.

How to beat 2 Chessmasters

When I was a kid, I watched one of those cheaply produced, two-part movies. A 4h long story about secret agents and a housewife-hero, who played them all. I don’t remember the exact plot, but her great move was kind-of a bet that she, never having played Chess before, could beat two Grandmasters at the same time.

Actually, the bet had a few more details: She bet she would either beat at least one of them or finish them both in a draw. You probably guessed already, what tactic was used - she played them both against each other, let one start as White to make the first move, come up with an excuse and switch tables to the other grandmaster to make the exact same move. In hinsight, a pretty lame twist.

What sounds awfully unrealistic in a movie, how come nobody noticed, can work out easily IRL, in a world where all participants set OpSec as ultimate goal, rather losing a battle than giving up their agenda.

Applied SE Tactics - Game of Pwns

How could we use this tactic in everyday Cyberwar? We already learned, good OpSec means not only to use anonymized, technical details, but also to apply Deception.

Say you plan to extract information, but you wanna fly low. No malware, no interrogative phone calls, same lame recruiter setup (cause you lack any creativity). But you want to make sure, that your opponent cannot tell, who you are, simply by the type of, or some detail of the information he tries to r.i.p. from you.

Cause usually, when someone puts an anonymous note on the fridge, saying: “Who ate my fucking Yoghurt???”, the thief not only knows, that he is the one in question, he also knows, who likely wrote the note and why they’re asking.

Let’s try to solve this, by using the Chessmasters’ tactic, with some adaptation. Assume, you’re working for a University Research Center, one that’s sponsored by a large softdrink company. For your information extraction SE attack, you make a website. It’s generic enough not to tell, who you really are or why you’re asking for this particular information.

After your attack, your opponent, who also works in Softdrink Research Incorporated, starts to do his OSINT work on you and your website. He realizes, on your IP address are a lot more websites, other VHosts. Not enough to make a shared hosting, usually Shared Hosting Providers try to squeeze 10k domains on a single IP, but too many for only one person to make. He opens a few of the websites and they tell a clear story: This IP clearly looks like it’s run by a bunch of companies selling survival gear. One website is about tents, another is dedicated towards fire starters. A survival forum, another small-brand gear webshop, and so on.

“Why are survivalists suddenly interested in our work?” - your opponent closes his research with more new questions than his efforts answered.

So, do I have to make 150 websites as Decoy?

And what does this have to do with Chess? Sounds like a terrible strategy. Except for the fact, that you didn’t make the websites.

You just found them.

Maybe you hacked one of the sites on that particular server. Or maybe, through a quirk in a hosting provider’s panel, simply by “asking friendly” on the provider’s support, an IDOR vuln, or any other way, you managed to get the same IP and your simple website onto the same server (and somebody just lost a bet).

Will your opponent be able to tell, if the other websites somehow belong to you (the attacker) or not?

Intelligames

Using 3rd party tools becomes second nature after a while, even though it may not be as good as custom made, missing lots of applied knowledge and deeper understanding, it will always remain a whole lot cheaper, easier and faster - that way, beat the maker in almost all daily challenges. A lot of respect for that, none for the lack thereof.