hye guys, for those pen testers out there just thought id show you this.

thought it might be a good read about using Social Engineering to gain usernames and passwords

http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

One word: nice

 

BRUTAL

I'll second that, if I was that good at lying to people I would have gone into management

I think you hit that nail on the head slimjim. Social engineers rank up there with lawyers as some of the scummiest people, but it is part of the job just as a deffense attorney has to deffend a guilty person like they really are inocent. What a life we live....

use ./msfpayload to generate a self contained executable. You can use any of the metasploit payloads for this. Obviously if you choose to use the connect back option you had better have something listening. use the multi/handler opiton.

With regards to Social Engineering, I fail to see how it is not a valid attack vector. You talk about Social Engineers being 'scum', etc... Is not part of your job as a pentester to simulate the attacks from these 'scum'? It seems to me that if you avoid or discount this attack vector then you are doing your clients a disservice.

If the scope requires it, then what is the problem? It seems that the idea that there is 'no security' amongst users is to blame. When assessing technical controls of a system, etc... don't  you assign a grade or whatever scoring system you used based on the overall security of that system? I constantly hear the phrase "there is no such thing as 100% secure systems" or some variant thereof. If we apply this approach to technical controls that are put in place how is it that we assume that the users should have 100% as a grade? Rather than assuming that all users are going to fail perhaps the same approach you take to the technical aspects you should use when assessing users.

So if you perform as SE type attack (email, IM, WEB, Phone, physical, etc) would this not produce certain metrics? This gives the organization an idea if their user-awareness programs are working or need improvement. I fail to see how this is not valuable. If you can show improvement over time by repeating the SE exercise then I see that as a good thing and something that has value to the company.

dean

I agree that Social Engineering is a valid approach to testing security. Kevin Mitnick is an amazing master of it. Regardless of that, its my least favorite part of the job. 

i can lie my ass off in an email though :-)