Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: physical security pentesting and social engineering

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 04 Dec 2004 14:35:58 +0200
I originally planned to email it for the social engineering thread, but our moderator closed it. 

-----

Bones wrote:

> I am sure this has been asked here several times before, but if
> everyone could indulge me I would be grateful.
>
> I am trying to find some good resources for social engineering
> methodologies and such performed as part of pen-test work.
>
> Books, links, previous SF posts (date/subject) etc. are all welcome.
Hi. I've seen many people on this thread providing you with reading material and some suggestions on where to learn more - I've learned a lot from it myself.
I will try and give you five simple and practical examples. You can take it from there: 
1. Drop a floppy near the closest vending machine or in-building
   dining-room. Put a call-home executable on it with a shiny icon and
   name.
2. Drop a CD saying "fourth quarter layoffs" in the elevator, put an
   auto-run with your call-home bit.
3. Give away some PC mags at the entrance or across the street, and put
   your CD in.
4. Drop a wireless router in the middle of the building (plan according
   to corporate culture. Someone might actually pick it up, or ignore
   it). You can even write on the button asking people to call security
   (then try that again with promise of a reward). Consider putting it
   in a rack.
5. Try gathering a tiny bit of info about workers and friends, then send
   a (possibly spoofed) email, with a small surprise inside. You can be
   a boss going abroad and asking for info to be sent to an hotmail
   box.. or just a friend of a friend (or the friend itself) sending a
   cool flash program.
Other than that I'd also try to trick my way into places.. running after doors, asking for people to keep them open for me, or hold on to something.. maybe even speak my way into the building/premises itself. But that would take research (or being small). 

Ever tried waving a 20 bill as if it is a credential and going in? :)
If you plan anything big, make sure you go big. Get actors and do your research. For a simple pen-test it won't be required - but that is only my bet.
There is no such thing as a non-successful pen-test. If there is - you loss, and not just financially. The ego involved with this is not to be underestimated - "we passed the pen-test!". That is why I believe in social engineering for penetration testing. 

I hope this helps!

:)

    Gadi Evron.
Previous By Date Next
Previous By Thread Next

Current thread: