Social Engineering

Viewing 22 reply threads
  • Author
    Posts
    • #2164
      mambo
      Participant

      hye guys, for those pen testers out there just thought id show you this.

      thought it might be a good read about using Social Engineering to gain usernames and passwords

      http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

    • #16575
      Mr. Roboto
      Participant

      I love the “sprinkle your receptionist’s candy dish with USB drives and see for yourself” comment.  People are so naive.

      Great post.

    • #16576
      RoleReversal
      Participant

      One word: nice

      ;D

    • #16577
      njemjy
      Participant

      Great article… Thanks for posting.

      I am in the process of trying to the same thing within my organization.  Unfortunately, I dont have someone who can write the trojan for me. 

      Does anyone know of any programs I can use? Have any of you done this first hand and can provide some guidance?

      Thanks,

      njemjy
      CISSP-ISSEP

    • #16578
      iSmith
      Participant

      BRUTAL ;D

    • #16579
      Kev
      Participant

      Social engineering is my least favorite part of this job. I am not good at being a “con” guy.  I really try and shy away from contracts that require that.  I got into this field because I love technology and I love computers.  I love trying to find a way in. It’s like solving a puzzle and I didn’t get into this field to see if I could lie or sweet talk the secretary at the front desk! Well, not unless she’s hot of course, lol!  But really, I hate for hacking to be equated with social engineering. 

    • #16580
      RoleReversal
      Participant

      @Kev wrote:

      I am not good at being a “con” guy. 

      I’ll second that, if I was that good at lying to people I would have gone into management 😉

    • #16581
      slimjim100
      Participant

      I think sales guys are the best Social engineers.

      Brian

    • #16582
      Michael J. Conway
      Participant

      I think you hit that nail on the head slimjim. Social engineers rank up there with lawyers as some of the scummiest people, but it is part of the job just as a deffense attorney has to deffend a guilty person like they really are inocent. What a life we live….

    • #16583
      bigtone82
      Participant

      Our sales guys are the A’holes of the company…. but you know if you help them out sometimes you end up getting cubs tickets…  😉

    • #16584
      Anonymous
      Participant

      @njemjy wrote:

      I am in the process of trying to the same thing within my organization.  Unfortunately, I dont have someone who can write the trojan for me. 

      Does anyone know of any programs I can use? Have any of you done this first hand and can provide some guidance?

      use ./msfpayload to generate a self contained executable. You can use any of the metasploit payloads for this. Obviously if you choose to use the connect back option you had better have something listening. use the multi/handler opiton.

      With regards to Social Engineering, I fail to see how it is not a valid attack vector. You talk about Social Engineers being ‘scum’, etc… Is not part of your job as a pentester to simulate the attacks from these ‘scum’? It seems to me that if you avoid or discount this attack vector then you are doing your clients a disservice.

      If the scope requires it, then what is the problem? It seems that the idea that there is ‘no security’ amongst users is to blame. When assessing technical controls of a system, etc… don’t  you assign a grade or whatever scoring system you used based on the overall security of that system? I constantly hear the phrase “there is no such thing as 100% secure systems” or some variant thereof. If we apply this approach to technical controls that are put in place how is it that we assume that the users should have 100% as a grade? Rather than assuming that all users are going to fail perhaps the same approach you take to the technical aspects you should use when assessing users.

      So if you perform as SE type attack (email, IM, WEB, Phone, physical, etc) would this not produce certain metrics? This gives the organization an idea if their user-awareness programs are working or need improvement. I fail to see how this is not valuable. If you can show improvement over time by repeating the SE exercise then I see that as a good thing and something that has value to the company.

      dean

    • #16585
      KrisTeason
      Participant

      Good Post mambo,

      I also agree with dean on this subject. Although I’m not a certified penetration tester, I’ve done some reading in the area & sometimes what it has to come down to is Social Engineering. Afterall, isn’t that how we typically pull off a successful client-side attacks,ect…Social Engineering does seem pretty ‘con’ but if I was being paid to test a companies security, don’t think for a second that I’d blow off using a social engineering tactic.

    • #16586
      Kev
      Participant

      I agree that Social Engineering is a valid approach to testing security. Kevin Mitnick is an amazing master of it. Regardless of that, its my least favorite part of the job. 

    • #16587
      RoleReversal
      Participant

      Dean,

      I agree with you that social engineering is a valid attack vector (and often the most effective).

      However, I think the initial comments (at the very least my own, but I thought others felt the same way) was that SE was something that wasn’t enjoyed. For myself this is largely a confidence issue, I’m not a ‘people person’ therefore trying to convince someone I’m something I’m not is something I don’t relish.

      I do enjoy the non-interactive, techinical social engineering techniques however and have used dummy sites and spear-phising as an alternative. Following this thread I’m looking forward to testing what happens when I ‘lose’ a USB stick, thanks for the advice you gave njemjy regarding msfpayload as this should come in useful in this regard.

      From those that are skilled at/enjoy social engineering, do you have any advice on how to best introduce yourself into a client’s environment? I can’t imagine anyone believing my cover stories, would you trust a nervous sweating bloke with your server room? 😉

    • #16588
      Anonymous
      Participant

      i can lie my ass off in an email though 🙂

    • #16589
      RoleReversal
      Participant

      @ChrisG wrote:

      i can lie my ass off in an email though 🙂

      LOL!  ;D

    • #16590
      Bogwitch
      Participant

      @RoleReversal wrote:

      Dean,

      I agree with you that social engineering is a valid attack vector (and often the most effective).

      However, I think the initial comments (at the very least my own, but I thought others felt the same way) was that SE was something that wasn’t enjoyed. For myself this is largely a confidence issue, I’m not a ‘people person’ therefore trying to convince someone I’m something I’m not is something I don’t relish.

      I do enjoy the non-interactive, techinical social engineering techniques however and have used dummy sites and spear-phising as an alternative. Following this thread I’m looking forward to testing what happens when I ‘lose’ a USB stick, thanks for the advice you gave njemjy regarding msfpayload as this should come in useful in this regard.

      From those that are skilled at/enjoy social engineering, do you have any advice on how to best introduce yourself into a client’s environment? I can’t imagine anyone believing my cover stories, would you trust a nervous sweating bloke with your server room? 😉

      Maybe I’m strange but I quite enjoy the SE side. Maybe it’s because I come from a service background and enjoy meeting the customers.
      Maybe it’s because I blend well and I don’t believe I look like your stereotypical computer geek or computer security geek – that makes it easier.

      But the general comments here are correct – SE is probably the easiest way to get into a system or at least to get close enough to get into a system!

      As for getting into a client site, don’t aim for the server room. Aim for other parts of the organisation and include the server room if necessary. If you can get access to a live network port, you’re 90% there anyway.
      Sometimes, using a toilet just off reception can get  you the access you need – you might be suprised the route ethernet cables take – access is often just a ceiling tile away…

    • #16591
      mambo
      Participant

      Thanks guys, glad you enjoyed it.

      But for those people who do not enjoy the SE side of it because they have to talk to people, this article kin of proves to me that its not all about talking to the customer and trying to get there password, using this method the dont even need to talk to the staff.

    • #16592
      Anonymous
      Participant

      Not all SE requires either phone or face to face contact but if it’s required then either hire someone or work on those people skills. If speaking to strangers or in public is an issue I would suggest starting to do presentations to your work colleagues about topics you have confidence in. This will get you comfortable speaking in front of people. Move on to doing presentations in your local infosec chapters (ISSA, ISACA, etc). It teaches you how to prepare and stick to a script and to have responses for possible questions that might be asked.

      Even if you choose not to actually interact with a user directly and decide on the email/website route for SE attacks you will still need to make sure that the emails/websites are well written and convincing, that they have the correct layout and graphics. ie: all links work, images/company colors are correct. This is just as difficult (or easy) as standing in front of a real, live person.

      If you’re not comfortable in front of people how do you present to a room full of clients about the results of the pentest? That aspect of being a pentester is as important, if not more so than being technically proficient.

      dean

    • #16593
      RoleReversal
      Participant

      @dean wrote:

      I would suggest starting to do presentations to your work colleagues about topics you have confidence in. This will get you comfortable speaking in front of people.

      If you’re not comfortable in front of people how do you present to a room full of clients about the results of the pentest? That aspect of being a pentester is as important, if not more so than being technically proficient.

      I think you hit the nail on the head, confidence for me (or lack of it) is the key to doing whats needed. Stick me in a room full of suits and directors and I’ll quite happily discuss a vulnerability in layman’s terms. Stick me on the phone to a security guard to convice him that “the BLT drive on my computer just went AWOL” and it’s a whole different ball park  😉

    • #16594
      njemjy
      Participant

      use ./msfpayload to generate a self contained executable. You can use any of the metasploit payloads for this. Obviously if you choose to use the connect back option you had better have something listening. use the multi/handler opiton.

      @ dean — Thanks for the info…

    • #16595
      shawal
      Participant

      Nice one Mambo  ;D
      Dean, very well said.
      In the penetration testing world, everyone will have an area of strength, and another area of weakness. that’s why it is always better to have a team to complement each others skills. I find SE, and DOS are the least of my interests, as what triggers me more is the technical side of it, and most of DOS/DDOS are not that challanging enough/interesting enough for my appetite. however if this is part of the job then it has to be done, and it has to be done carefully within the scope of work requested, and the scope of legal righst of all parties involved.

    • #16596
      Michael J. Conway
      Participant

      Dean,

      I think you are right on with the SE and in getting comfortable with presenting. I’m lucky enough to be in a job where presenting is a recurring theme. I got to go to a conference that was primarily for the powers that be in the Air Force enlisted aviation community to brief on the policies and procedures here at the Community College of the Air Force. Every one in that room out-ranked me. One of the things that helped me get through was the knowledge I had of our procedures as well as some of the prep I did before going down there with people that had done these conferences for their career fields (MOS in Army talk). Being prepared for a presentation is by far the best confidence booster you can have. That and surviving a room full of folks that have been giving each other a hard time all week long before you get up to speak.

Viewing 22 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?