In my previous post, How Can I Successfully Hack My Home Network? I set the stage for my “Hacking my Home” activities. A possible scenario here is that I am given the task to penetrate a high-profile target’s (i.e., myself 😀) home network and collect as much information to use for malicious purposes. Before I start doing anything though, I need to prepare myself.

Let’s think about what will I need for my activities. Laptop, Internet connection… Well, (almost) everybody has those nowadays. Let’s look at some not so obvious things.

First, I will need some fake online identities that I can use to send emails or connect with people close to my target. For this, of course, I will need to have one or more email addresses. In the past, creating a Gmail or Hotmail address was trivial. Now though, even Yahoo requires you to have a phone number for verification. That makes things a bit more complicated, but not impossible. A quick search on Google or Bing will give you a good list of burner phones that you can buy for as low as $10 at retailers like Fry’s or Wallmart. However, one good option is the Burner app – for just $5/month you can have unlimited calls, texts, and monthly number swaps. There are many uses of it:

  • Use it for general privacy – never give your real phone number on the web or anywhere else (just this is worth the money)
  • Use it for registering new email addresses or social media accounts
  • Make phone calls to avoid Caller ID (we all get those from marketers and scammers)
  • Most importantly, send text messages to avoid Caller ID

If you only need a masked phone, you can also use the Blur app from Abine. There are many other options if you search the web but be careful with the reputation. I decided to try both, Burner and Blur in my next step.

Armed with burner phone numbers, the next step is to create email addresses that I can use for various registrations. Yahoo emails are frowned upon; that is why I decided to go with Gmail. I will need to think of creating a complete online personality that I can use to send emails, engage in conversations, etc. Without knowing what will work, creating a male and female personality will be helpful.

The first step is to choose some trustworthy names. Although fancy, names like North West and Reality Winner 😀 will look more suspicious than traditional English names like John or Mary. Not surprisingly, a simple Google search gives you thousands of pages with names that inspire trustworthiness. So, I choose some of those to name my two personalities. Because I don’t want those to be known, I will use the first initials from now on to differentiate between the male (RJD) and the female (SMJ). Now, let’s go and create some e-mail addresses and social media profiles.

One complication while creating Gmail accounts is the verification process. Google requires your phone number for account creation, and after typing any of the burner phone numbers, I got an error message that the number cannot be used for verification (kind of a bummer, I thought). Interestingly though, after the initial verification (for which I used my real cell phone number), I was able to change the phone number AND verify it using the burner ones.

Next is Facebook. Despite all the efforts Facook is putting to prevent fake accounts, creating a Facebook account doesn’t even require text verification. With just an email, you can easily go and create one. Of course, if you want to change your username, you will be required to verify your account via mobile phone. The burner phones work like a charm with Facebook.

After Facebook, creating an Instagram account is a snap. Picking up a few celebrities to follow is, of course, essential to building up the profile. Be selective when you select people to follow from the suggestion list, you don’t want to look like a bot by following every possible person. Later on, after I gather more intelligence on my targets’ interests, I will tweak the following base to match better their interests, but for now, this will be enough to start building a profile and also getting access to information that is behind the Facebook and Instagram walls.

The Twitter registration process is as simple as Instagram. You don’t need a mobile phone for Twitter – e-mail is enough for the confirmation code. Once again, choose a few select accounts to follow to start building your online profile and reputation.

Creating LinkedIn account is a bit more elaborate. Similar to Gmail, LinkedIn requires real phone number for verification – both burner phones failed here. Of course, LinkedIn doesn’t immediately ask you to add your phone number for notifications. However, their account creation wizard required at least one job title and company. Not unexpected, this stumbled me a bit because I had to think what will be the best title and company to choose from. LinkedIn has one of the cripiest experiences for account creation. The most scary part for me was the ability to pull all my contacts from… well somewhere (I will need to dig into that later on). Nevertheless, my recommendation is to do the registration on a burner laptop that has none of your personal information on it. The next crippy thing was the recommendations – I got some high profile people recommended to me and of course I clicked on a bunch before I realize that it sends invitations to those people. This could have blown my cover because it recommended mostly people working in the company I chose as my employer. Surprisingly to me though just a minute after, I had a request accepted, so I decided that maybe I should not be worried so much. One important thing you need to do on your LinkedIn profile is to change the Profile viewing options in your Privacy settings to Private mode. If you do not do that, people whose profiles you look up will get notified who are you, and you want to avoid that.

Although some people may accuse me in profiling, I have to say that I chose to use the female account for Facebook, Instagram and Twitter and the male for LinkedIn initially. The reason is that I didn’t want to spent time doing all those registrations before I know more about the targets.

Now that I have all those fake accounts created, I can move to the next step: doing some online research about my target. To do that, I don’t need full profiles established but I will try to generate some online activity in the mean time to make those accounts more credible.

In my next post, I will demonstrate how easy it is to gather basic social engineering intelligence using the above accounts as well as free web sites. Stay tuned…

Disclaimer: This post describes techniques for online reconnaissance and cyber attacks. The activities described in this post are performed with the consent of the impacted people or entities and are intended to improve the security of those people or entities as well as to bring awareness to the general public of the online threats existing today. Using the above steps without consent from the targeted parties is against the law. The reader of this post is fully responsible for any damage or legal actions against her or him, which may result from actions he or she has taken to perform malicious online activities against other people or entities.

This morning I was looking at our company’s e-mail gateway and cleaning some of the quarantined messages when I got reminded that while my company’s digital infrastructure may be well protected with firewalls and e-mail gateways, my home network can be wide open and vulnerable to attacks. Like everyone else, I try not to spend too much time configuring my home network and rely on my “ISP to take care of it.” Well, this is a silly approach because the ISPs don’t care about our cybersecurity. It took me hours on the phone, two bricked routers and a house visit (for which I paid of course) to convince mine to replace their outdated router with a simpler gateway device so that I can use my own Eero as the main router and Wi-Fi access point. However, replacing an old router is not something that will solve my cybersecurity issues. Hence, I decided to stop procrastinating and make the first steps to execute on my idea to do some penetration testing on my home network. You will be able to find all my steps and (successful and failing) attempts in the series of Hack My Home post, so let’s get started.

The first thing I need to start with is to decide what my goals are. The best way to do that is to put myself in the hacker’s shoes. If I am a black-hat hacker who wants to attack an Ordinary Joe, what would I like to get from him? Here are a few things that come to mind:

  • Like many of you, I have a file server or NAS device at home, where my family stores a lot of information. Pictures, tax returns, scanned personal documents and what else. Having access to this information may turn beneficial. Hacker’s goal #1: Get access to the file share!
  • Having access to personal information may be useful, but if I am looking for fast money or a way to do bigger damage, harvesting credentials may turn out better. There is a good chance I can find some passwords in a text file on the file share, but because I don’t save mine in plain text, I need to look for other options. Hacker’s goal #2: Steal a password of a family member!

Here is the moment for a disclaimer. Because this is my home, I believe, I have full authority to hack into my devices. If I discover device vulnerability, I will follow the responsible disclosure practice and will need to delay any posts that describe the approach of breaking into the device. Regarding the second goal, stealing a password, I have full (verbal) consent from my family to do that. I also have full access to almost all of their passwords, so I don’t consider this an issue. However, if you are planning to follow my steps, please make sure that you get consent from your family – they may not be so receptive to the idea.

Next, are some assumptions. The biggest one is to assume no knowledge of my home network. Initially, I thought I should start with a diagram of my network, but this will assume I know the details. What I need to do is to get to the details from the outside using public information. If you think about it, the information that hackers can easily (and legally) obtain is the following:

  • Domain name
  • IP address
  • Email address
  • Home address
  • Phone number
  • Social media profiles

This is an excellent set of starting points, isn’t it? Some of those things may be easier obtained than others. Hence, I will need to do some research online to figure out everything I need. I will walk through each step in separate posts. For now, let’s figure out the ways I can digitally break into my home and define some simple next steps.

If I know the IP address of my router, I may be able to attack my home remotely over the Internet. For this though, I need to figure out the IP address of my router. So, one of my next steps would be to figure out an approach to do that.

If I know the location of my home, I may try to attack my home Wi-Fi network and break through it. That will be a little more complicated approach because it will require for me to be close to my home and to use some specialized devices. There may be other wireless devices in my home that I may be able to get to but those will again require some proximity to the home to exploit.

Of course, for my testing purposes, I would like to explore both approaches, but I will need to start with one of them. Because I think the remote exploit higher chance to happen, I would start from there. As a next step, I would need to figure out the entry point for my home from the open Internet, i.e., I need to figure out my router’s IP address.

In my next post, I will walk you through my thought process, the steps and the tools I can use to obtain my home’s IP address.