You are here: Home » social engineering
Tag: social engineering
When we speak about social engineering the normal conversation steers away from the technical and more to the psychological. This month we are going to change it up a bit and steer head on into the technical arena for a discussion about penetration testing.
There seems to always be a debate online about pentesting, what it is and what it isn’t. How to do it right, how to do it “real world,” how to do it hardcore and even l33t. But at the end of the day what each and every pentester wants (or should want) is to uncover the holes in the clients network, so they can be mitigated before the bad guys use those very same holes for malicious purposes.
That desire should drive each “real world” pentester to use every tool – technical or not – at his disposal for the benefit of his clients. This is where our discussion about how to use social engineering as a technical tool or as a tool to get technical details.
20 years. Hard to believe, but Defcon has been around for 2 decades. And Black Hat has been doing its thing for 15 years and continues to buck the conference trend and grow in attendance each year. These two security conferences are some of the pace setting events for our industry. For the last few years, the crew at Social-Engineer have been a part of these events, and this year is no different. As you may know, we have 2 arms of our organization. Social-Engineer.org is the free web portal that strives to achieve “Security Through Education” not only with our core crew but also with many excellent contributors. Social-Engineer.com is our commercial arm offering social engineering services (such as penetration tests) and training. Here are some of the events, happenings and schedule for us during the annual pilgrimage to Vegas.
Many fans of the Social-Engineer.org newsletter will remember a couple years ago when I launched some research. I wrote about the study and the use of nonverbal communications and labeled it NLH. Over the last couple of years I have been working on deepening and broadening that research and feel that the title limited my studies. Moving to a more general definition like “nonverbal human hacking” takes away the stigma and connection to NLP that made many view this area as something more mystical and not science-based research.
The fact of the matter is that social engineering is nothing new. From some of the oldest stories recorded in mankind’s history until today, social engineering has been used. Despite the advancement in technology the same principles work when it comes to “hacking the human OS.”
As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole. As you most likely have heard, we have interviewed radio hosts, psychologist, law enforcement officials, dating experts, scientists and others to try and understand what each of those fields has to offer a social engineer.
For the past few months, I’ve brought you articles on launching your career as a social engineer, the psychology and history behind hacking humans and even some scams you can pull on your clients for their own good. As wonderful as it is to talk about the methods, the tricks and the sexy stories of social engineering pwnage, we need to take a step back and discuss the business end of this spectrum.
Yes, I said it… business side. After all, most of us reading this article either are in IT/Security or want to be. So how can one sell SE penetration tests? How can you scope it? Price it? And what do you give the client at the end of the engagement? All of these are good questions for budding professional social engineers, and thus the topic of this month’s column, the process of selling and delivering a social engineering penetration test.
As a professional social engineer, it is beneficial to study the methods of scamming that the bad guys have used in the past, compare it to modern tactics and see what can be learned. Experts have agreed that the motivation for most scams is greed. Although that is true, it is also found that fame, attention or just the need to maliciously hurt and steal from others are strong motivators for scamming people. This month, let’s analyze some old scams, compare them to a modern-day equivalent and see what we can learn as Social Engineering Pentesters to ethically scam your clients.
Although scams have been around since the dawn of man, this one from 1812 is notable. A Philadelphia man name Charles Redheffer claimed that he invented a perpetual motion machine, a theoretical device that, after only one initial input of power, will perpetually continue to generate energy. Even though such a machine would break the laws of thermodynamics, his claim was supposedly backed up by an actual working device. His next desire was to secure government funding to “build a larger version”. He actually got the money and built a new machine, but he then fled the city when inspectors found that he had hidden the real power source. Undeterred, he tried the same scam in New York City but was again caught when the inspectors removed a wall of the machine to reveal an old man eating a sandwich and turning a crank. This machine can still be seen today in the Franklin Institute of Philadelphia. In analyzing this scam we can see some basic principles at play here.
By Chris Gates, CISSP, GCIH, C|EH, CPTS
It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.
A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page. This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website. Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of “normal” or “non-malicious” type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm, as well as others.
**This isn’t to say that some fileformat exploits can’t be delivered via the web. You can easily link to www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user’s inbox. So let’s take a quick look at how this can be accomplished.