HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 37 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Social Engineeringarrow I would like to hear from people who actually use social engineering in theirjob
EH-Net
May 25, 2013, 07:08:12 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: I would like to hear from people who actually use social engineering in theirjob  (Read 23680 times)
0 Members and 1 Guest are viewing this topic.
YuckTheFankees
Sr. Member
****
Offline Offline

Posts: 324


View Profile
« on: October 11, 2011, 12:50:02 AM »
I would like to know how you prepped for the social engineering and maybe an example of one you have completed. thank you!
Logged
OSCP in progress
lorddicranius
Sr. Member
****
Offline Offline

Posts: 447



View Profile WWW
« Reply #1 on: October 11, 2011, 01:10:30 AM »
I don't use it in my own job, but Matias Brutti and Mike Ridpath of IOActive did a presentation here at B-Sides PDX this last weekend on how they use SE, along with recordings of calls they've done on the job:

http://www.ustream.tv/recorded/17736407

Jayson Street did his "Steal everything, kill everyone, cause total financial ruin" talk at DerbyCon two weekends ago about his use of SE during his night job:

http://www.youtube.com/watch?v=8esU0G5zlRU
Logged
GSEC, eCPPT, Sec+
YuckTheFankees
Sr. Member
****
Offline Offline

Posts: 324


View Profile
« Reply #2 on: October 11, 2011, 08:51:33 AM »
That's some good stuff, thanks a lot!
Logged
OSCP in progress
millwalll
Guest
« Reply #3 on: October 12, 2011, 04:13:44 AM »
There is also a really good book on SE called hacking the human.
Logged
YuckTheFankees
Sr. Member
****
Offline Offline

Posts: 324


View Profile
« Reply #4 on: October 12, 2011, 08:43:27 AM »
Is that a newer book?
Logged
OSCP in progress
millwalll
Guest
« Reply #5 on: October 13, 2011, 05:13:48 AM »
its pretty new here link on amazon http://www.amazon.co.uk/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_3?ie=UTF8&qid=1318500808&sr=8-3
Logged
YuckTheFankees
Sr. Member
****
Offline Offline

Posts: 324


View Profile
« Reply #6 on: October 13, 2011, 09:07:04 AM »
Okay cool. I've seen that book a couple of times on Amazon, I'll have to double check if safari books has it Grin. I've read one SE book and it was really interesting. The author would start with his story and after the 1st page I would try and guess what kind of information he was going after but I was never right. He would go 5 steps to the left just to get a little piece of information, then do something else where I was like " how does this relate at all"..then BAM he finally tells us what he was doing and it all made sense. I feel like SE is almost impossible to stop if someone plans the SE well enough.
Logged
OSCP in progress
OneManicNinja
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #7 on: November 15, 2011, 04:00:13 PM »
if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking"  (and imho this is a good definition)  then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!  Wink 

Also, finding out as much as i can helps me to make sure I offer them what they're looking for.  I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.
Logged
jibudada
Guest
« Reply #8 on: May 19, 2012, 04:17:40 AM »
Quote from: OneManicNinja on November 15, 2011, 04:00:13 PM
if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking"  (and imho this is a good definition)  then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!  Wink 

Also, finding out as much as i can helps me to make sure I offer them what they're looking for.  I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.













Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim."[1] Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security.[2]


http://www.securitytube.net/tags/social%20engineering
Logged
millwalll
Guest
« Reply #9 on: May 27, 2012, 04:01:59 AM »
This is a pretty good talk on SE at BSIDESLONDON  https://www.youtube.com/watch?v=gkDct933o6A&list=UUcKbtsDi0qm-rmawx32Gmfg&index=1&feature=plcp  There are slides too somewhere Smiley
Logged
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #10 on: May 27, 2012, 05:30:49 AM »
The slides are available here.
Logged
fred
Sr. Member
****
Offline Offline

Posts: 351


The World is sick, Save your mind...


View Profile
« Reply #11 on: May 31, 2012, 03:01:52 AM »
Quote from: Jamie.R on October 12, 2011, 04:13:44 AM
There is also a really good book on SE called hacking the human.

Quote from: aweSEC on May 27, 2012, 05:30:49 AM
The slides are available here.


Very very great resources thank you all. but i think ethical hackers dosent use social engineering ofcourse its a good method to gain sensitive info but its not a pentest technic

anyway thanks alot!!
Logged
ICS Academy Network Security Certified
hayabusa
Hero Member
*****
Offline Offline

Posts: 1633



View Profile
« Reply #12 on: May 31, 2012, 06:40:49 AM »
@cyber.spirit - ethical hackers ABSOLUTELY use social engineering.  Its use depends on the scope of the contract, but if physical security and system access are called out, then it's critical to be able to use social engineering skills to gain access and gather information.  Even if physical security is NOT in scope, there are times when impersonation over the phone or email, or other SE tactics are still VERY useful in gathering recon data to scope out and penetrate the target.

(Edit:  Remember, the goal of a good pentester is to show a company their weaknesses...  If that includes proving that security awareness training is not a solid piece of the target company's security posture, then so be it...)
« Last Edit: May 31, 2012, 06:42:38 AM by hayabusa » Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
lorddicranius
Sr. Member
****
Offline Offline

Posts: 447



View Profile WWW
« Reply #13 on: May 31, 2012, 08:46:30 AM »
@cyber.spirit: Chris Hadnagy has written up some great articles here at EH-net on the use of SE in pentesting as well:

http://www.ethicalhacker.net/content/category/7/43/24/
Logged
GSEC, eCPPT, Sec+
dalepearson
Sr. Member
****
Offline Offline

Posts: 357


View Profile WWW
« Reply #14 on: August 25, 2012, 06:46:14 AM »
if you are looking to simulate real world threats, then SE should certainly be a component of that threat simulation.
Logged
:: Subliminal Hacking :: / :: Security Active Blog ::
Pages: [1] 2   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.578 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.