Last updated at Wed, 13 Dec 2023 23:56:58 GMT

One time, during a vishing-only engagement, the client gave me several phone numbers to contact, all part of a phone routing system. I wanted to understand what types of support calls the technical support person usually took before I actually chatted with anyone, so I performed OSINT and looked at Facebook, LinkedIn, and other sites to find current employees at the company. I also looked to see if there was any breach data that went along with the client’s name, and while I did find some, I wasn’t sure about how old or reliable the data was.

From there, I began my calls. One of the phone numbers routed me to a technical support person, and when they asked who I was, I pretended to be a specific employee I’d found using LinkedIn. My problem? I just got back from vacation and completely forgot my credentials!

“Totally fine,” said tech support. Since they already had my name, they just needed the last four digits of my Social Security number.

“No problem,” I said.

See, during the OSINT stage, I was able to gather usernames, since the client hosted a website login to its Citrix Portal. Also, the breach data I discovered happened to have several password combinations that appeared to include four numbers at the end, such as “Frank0201.” I took a swing in the dark, picked the LinkedIn user’s last four numbers of their breached data, and held my breath.

“Okay, great!” tech support replied. “I’ve reset your password to ‘Password1.’”

After tech support provided a reset password for this user, I took those credentials to Citrix, and it worked! The only problem now was that the login required answering questions the user had previously set up. Time for another call to tech support! I told them the questions I saw didn’t look familiar and asked if I could reset them. Again, no problem—they just needed my Social Security number.

Now that the security questions were reset, I was able to successfully log in to the client’s Citrix portal. With this kind of access, I was able to login to a virtual desktop infrastructure via Microsoft Remote Desktop. From there, I was able to search a server file share for the words “password,” “passport,” “HR,” “Social Security,” and more. I got every single one.

I told the client what had happened, and they weren’t pleased to hear that their after-hours support likely didn’t even look up and verify the Social Security number. Because, as it turned out, the number I had provided wasn’t even correct.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.