HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 44 guests and 3 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Social Engineering
EH-Net
May 22, 2013, 06:48:42 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: Social Engineering  (Read 11060 times)
0 Members and 1 Guest are viewing this topic.
mambo
Newbie
*
Offline Offline

Posts: 14


View Profile
« on: March 06, 2008, 04:11:15 PM »
hye guys, for those pen testers out there just thought id show you this.

thought it might be a good read about using Social Engineering to gain usernames and passwords

http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
Logged
Mr. Roboto
Jr. Member
**
Offline Offline

Posts: 67


Himitsu wo shiritai


View Profile
« Reply #1 on: March 06, 2008, 04:33:17 PM »
I love the "sprinkle your receptionist's candy dish with USB drives and see for yourself" comment.  People are so naive.

Great post.
Logged
A+, Security+, HDI Support Center Analyst, MCTS: Vista
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #2 on: March 07, 2008, 06:20:17 AM »
One word: nice

 Grin
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
njemjy
Newbie
*
Offline Offline

Posts: 2

If you dont know where its been, dont stick it in.


View Profile
« Reply #3 on: March 16, 2008, 01:28:32 PM »
Great article... Thanks for posting.

I am in the process of trying to the same thing within my organization.  Unfortunately, I dont have someone who can write the trojan for me. 

Does anyone know of any programs I can use? Have any of you done this first hand and can provide some guidance?

Thanks,

njemjy
CISSP-ISSEP
Logged
njemjy
CISSP-ISSEP
iSmith
Full Member
***
Offline Offline

Posts: 157


Do or do not. There is no try. - Yoda


View Profile
« Reply #4 on: March 16, 2008, 02:23:54 PM »
BRUTAL Grin
Logged
In my eyes, your operating system is as solid as swiss cheese.
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #5 on: March 16, 2008, 10:56:51 PM »
Social engineering is my least favorite part of this job. I am not good at being a “con” guy.  I really try and shy away from contracts that require that.  I got into this field because I love technology and I love computers.  I love trying to find a way in. It’s like solving a puzzle and I didn’t get into this field to see if I could lie or sweet talk the secretary at the front desk! Well, not unless she’s hot of course, lol!  But really, I hate for hacking to be equated with social engineering. 
Logged
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #6 on: March 17, 2008, 03:22:09 AM »
Quote from: Kev on March 16, 2008, 10:56:51 PM
I am not good at being a “con” guy. 

I'll second that, if I was that good at lying to people I would have gone into management Wink
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
slimjim100
EH-Net Columnist
Sr. Member
*****
Offline Offline

Posts: 385



View Profile WWW
« Reply #7 on: March 17, 2008, 03:31:25 AM »
I think sales guys are the best Social engineers.

Brian
Logged
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
sgt_mjc
Sr. Member
****
Offline Offline

Posts: 294


View Profile
« Reply #8 on: March 17, 2008, 09:32:34 AM »
I think you hit that nail on the head slimjim. Social engineers rank up there with lawyers as some of the scummiest people, but it is part of the job just as a deffense attorney has to deffend a guilty person like they really are inocent. What a life we live....
Logged
Mike Conway
CISSP
CompTia Security +
C|EH
bigtone82
Newbie
*
Offline Offline

Posts: 7


View Profile
« Reply #9 on: March 17, 2008, 12:46:46 PM »
Our sales guys are the A'holes of the company.... but you know if you help them out sometimes you end up getting cubs tickets...   Wink
Logged
dean
Guest
« Reply #10 on: March 17, 2008, 03:04:14 PM »
Quote from: njemjy on March 16, 2008, 01:28:32 PM
I am in the process of trying to the same thing within my organization.  Unfortunately, I dont have someone who can write the trojan for me. 

Does anyone know of any programs I can use? Have any of you done this first hand and can provide some guidance?

use ./msfpayload to generate a self contained executable. You can use any of the metasploit payloads for this. Obviously if you choose to use the connect back option you had better have something listening. use the multi/handler opiton.

With regards to Social Engineering, I fail to see how it is not a valid attack vector. You talk about Social Engineers being 'scum', etc... Is not part of your job as a pentester to simulate the attacks from these 'scum'? It seems to me that if you avoid or discount this attack vector then you are doing your clients a disservice.

If the scope requires it, then what is the problem? It seems that the idea that there is 'no security' amongst users is to blame. When assessing technical controls of a system, etc... don't  you assign a grade or whatever scoring system you used based on the overall security of that system? I constantly hear the phrase "there is no such thing as 100% secure systems" or some variant thereof. If we apply this approach to technical controls that are put in place how is it that we assume that the users should have 100% as a grade? Rather than assuming that all users are going to fail perhaps the same approach you take to the technical aspects you should use when assessing users.

So if you perform as SE type attack (email, IM, WEB, Phone, physical, etc) would this not produce certain metrics? This gives the organization an idea if their user-awareness programs are working or need improvement. I fail to see how this is not valuable. If you can show improvement over time by repeating the SE exercise then I see that as a good thing and something that has value to the company.

dean
Logged
xXxKrisxXx
Hero Member
*****
Offline Offline

Posts: 512



View Profile
« Reply #11 on: March 17, 2008, 04:04:36 PM »
Good Post mambo,

I also agree with dean on this subject. Although I'm not a certified penetration tester, I've done some reading in the area & sometimes what it has to come down to is Social Engineering. Afterall, isn't that how we typically pull off a successful client-side attacks,ect...Social Engineering does seem pretty 'con' but if I was being paid to test a companies security, don't think for a second that I'd blow off using a social engineering tactic.
Logged
eCPPT, GCIH, OSCP, OSWP
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #12 on: March 17, 2008, 05:01:41 PM »
I agree that Social Engineering is a valid approach to testing security. Kevin Mitnick is an amazing master of it. Regardless of that, its my least favorite part of the job. 
Logged
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #13 on: March 18, 2008, 05:49:55 AM »
Dean,

I agree with you that social engineering is a valid attack vector (and often the most effective).

However, I think the initial comments (at the very least my own, but I thought others felt the same way) was that SE was something that wasn't enjoyed. For myself this is largely a confidence issue, I'm not a 'people person' therefore trying to convince someone I'm something I'm not is something I don't relish.

I do enjoy the non-interactive, techinical social engineering techniques however and have used dummy sites and spear-phising as an alternative. Following this thread I'm looking forward to testing what happens when I 'lose' a USB stick, thanks for the advice you gave njemjy regarding msfpayload as this should come in useful in this regard.

From those that are skilled at/enjoy social engineering, do you have any advice on how to best introduce yourself into a client's environment? I can't imagine anyone believing my cover stories, would you trust a nervous sweating bloke with your server room? Wink
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
LSOChris
Guest
« Reply #14 on: March 18, 2008, 08:45:49 AM »
i can lie my ass off in an email though :-)
Logged
Pages: [1] 2   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.081 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.