.

Social Engineering

<<

mambo

Newbie
Newbie

Posts: 14

Joined: Sat Mar 31, 2007 8:11 am

Post Thu Mar 06, 2008 5:11 pm

Social Engineering

hye guys, for those pen testers out there just thought id show you this.

thought it might be a good read about using Social Engineering to gain usernames and passwords

http://www.darkreading.com/document.asp ... =column1_1
<<

Mr. Roboto

User avatar

Jr. Member
Jr. Member

Posts: 67

Joined: Thu Feb 14, 2008 9:57 am

Location: Ohio

Post Thu Mar 06, 2008 5:33 pm

Re: Social Engineering

I love the "sprinkle your receptionist's candy dish with USB drives and see for yourself" comment.  People are so naive.

Great post.
A+, Security+, HDI Support Center Analyst, MCTS: Vista
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Mar 07, 2008 7:20 am

Re: Social Engineering

One word: nice

;D
<<

njemjy

Newbie
Newbie

Posts: 2

Joined: Sun Mar 16, 2008 1:03 pm

Post Sun Mar 16, 2008 1:28 pm

Re: Social Engineering

Great article... Thanks for posting.

I am in the process of trying to the same thing within my organization.  Unfortunately, I dont have someone who can write the trojan for me. 

Does anyone know of any programs I can use? Have any of you done this first hand and can provide some guidance?

Thanks,

njemjy
CISSP-ISSEP
njemjy
CISSP-ISSEP
<<

iSmith

User avatar

Full Member
Full Member

Posts: 157

Joined: Sun Jan 20, 2008 12:01 pm

Post Sun Mar 16, 2008 2:23 pm

Re: Social Engineering

BRUTAL ;D
In my eyes, your operating system is as solid as swiss cheese.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sun Mar 16, 2008 10:56 pm

Re: Social Engineering

Social engineering is my least favorite part of this job. I am not good at being a “con” guy.  I really try and shy away from contracts that require that.  I got into this field because I love technology and I love computers.  I love trying to find a way in. It’s like solving a puzzle and I didn’t get into this field to see if I could lie or sweet talk the secretary at the front desk! Well, not unless she’s hot of course, lol!  But really, I hate for hacking to be equated with social engineering. 
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Mar 17, 2008 3:22 am

Re: Social Engineering

Kev wrote:I am not good at being a “con” guy. 


I'll second that, if I was that good at lying to people I would have gone into management ;)
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Mon Mar 17, 2008 3:31 am

Re: Social Engineering

I think sales guys are the best Social engineers.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Mon Mar 17, 2008 9:32 am

Re: Social Engineering

I think you hit that nail on the head slimjim. Social engineers rank up there with lawyers as some of the scummiest people, but it is part of the job just as a deffense attorney has to deffend a guilty person like they really are inocent. What a life we live....
Mike Conway
CISSP
CompTia Security +
C|EH
<<

bigtone82

Newbie
Newbie

Posts: 7

Joined: Tue Feb 26, 2008 5:32 pm

Post Mon Mar 17, 2008 12:46 pm

Re: Social Engineering

Our sales guys are the A'holes of the company.... but you know if you help them out sometimes you end up getting cubs tickets...  ;)
<<

dean

Post Mon Mar 17, 2008 3:04 pm

Re: Social Engineering

njemjy wrote:I am in the process of trying to the same thing within my organization.  Unfortunately, I dont have someone who can write the trojan for me. 

Does anyone know of any programs I can use? Have any of you done this first hand and can provide some guidance?


use ./msfpayload to generate a self contained executable. You can use any of the metasploit payloads for this. Obviously if you choose to use the connect back option you had better have something listening. use the multi/handler opiton.

With regards to Social Engineering, I fail to see how it is not a valid attack vector. You talk about Social Engineers being 'scum', etc... Is not part of your job as a pentester to simulate the attacks from these 'scum'? It seems to me that if you avoid or discount this attack vector then you are doing your clients a disservice.

If the scope requires it, then what is the problem? It seems that the idea that there is 'no security' amongst users is to blame. When assessing technical controls of a system, etc... don't  you assign a grade or whatever scoring system you used based on the overall security of that system? I constantly hear the phrase "there is no such thing as 100% secure systems" or some variant thereof. If we apply this approach to technical controls that are put in place how is it that we assume that the users should have 100% as a grade? Rather than assuming that all users are going to fail perhaps the same approach you take to the technical aspects you should use when assessing users.

So if you perform as SE type attack (email, IM, WEB, Phone, physical, etc) would this not produce certain metrics? This gives the organization an idea if their user-awareness programs are working or need improvement. I fail to see how this is not valuable. If you can show improvement over time by repeating the SE exercise then I see that as a good thing and something that has value to the company.

dean
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Mon Mar 17, 2008 4:04 pm

Re: Social Engineering

Good Post mambo,

I also agree with dean on this subject. Although I'm not a certified penetration tester, I've done some reading in the area & sometimes what it has to come down to is Social Engineering. Afterall, isn't that how we typically pull off a successful client-side attacks,ect...Social Engineering does seem pretty 'con' but if I was being paid to test a companies security, don't think for a second that I'd blow off using a social engineering tactic.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Mar 17, 2008 5:01 pm

Re: Social Engineering

I agree that Social Engineering is a valid approach to testing security. Kevin Mitnick is an amazing master of it. Regardless of that, its my least favorite part of the job. 
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Mar 18, 2008 5:49 am

Re: Social Engineering

Dean,

I agree with you that social engineering is a valid attack vector (and often the most effective).

However, I think the initial comments (at the very least my own, but I thought others felt the same way) was that SE was something that wasn't enjoyed. For myself this is largely a confidence issue, I'm not a 'people person' therefore trying to convince someone I'm something I'm not is something I don't relish.

I do enjoy the non-interactive, techinical social engineering techniques however and have used dummy sites and spear-phising as an alternative. Following this thread I'm looking forward to testing what happens when I 'lose' a USB stick, thanks for the advice you gave njemjy regarding msfpayload as this should come in useful in this regard.

From those that are skilled at/enjoy social engineering, do you have any advice on how to best introduce yourself into a client's environment? I can't imagine anyone believing my cover stories, would you trust a nervous sweating bloke with your server room? ;)
<<

LSOChris

Post Tue Mar 18, 2008 8:45 am

Re: Social Engineering

i can lie my ass off in an email though :-)
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software