Penetration Testing mailing list archives
Re: Social Engineering - information disclosing by phone
From: Lee Lawson <leejlawson () gmail com>
Date: Thu, 25 Dec 2008 22:41:46 +0000
Hi,I wrote that SE example scenario for the framework and I supplied it purely for people to use as an example so they can go off and create their own for their tests. I have used it, well I wrote for a girl called Zoe who worked for me and it did illicit usernames and passwords from the target organisation.
The real point was to show the components of an SE attack: * the infomation required * the reason it is needed * the reason why they should give it upmake up your own scenarios that are specific to your clients, that are imaginitive and realistic. Get the ground work done before you pick up the phone though, get phone lists, employee names etc. Be confident and persuasive without going down the line of threatening behaviour as they are your customers after all.
Good luck and post us your feedback on what worked and what didn't. Lee J Lawson Sent from my iPodOn 24 Dec 2008, at 20:34, "Taras P. Ivashchenko" <naplanetu () gmail com> wrote:
Hello, list!What do you thing about such step of pentest as information disclosing by phone? Yes, of course everybody watched "Hackers" with Jolie and Miller and remember momentwhen when some security officer told number of modem by telephone. But it's cinema and what about real life? In Penetration Testing Framework [1] we can read: Scenarios IT Department."Hi, it's Zoe from the helpdesk. I am doing a security audit of the network and I need to re-synchronise the Active Directory usernames and passwords.This is so that your logon process in the morning receives no undue delays"If you are calling from a mobile number, explain that the helpdesk has beenissued a mobile phone for 'on call' personnel. Results Contact Details - Name - Phone number - Email - Room number - Department - Role [1] http://www.vulnerabilityassessment.co.uk/Penetration Test.htmlWhat in your opinion we can take (in pentest) from such method of S.E.?Does anybody knows Mitnick here? Please, call him =) -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Social Engineering - information disclosing by phone Taras P. Ivashchenko (Dec 24)
- Re: Social Engineering - information disclosing by phone Shomiron Das Gupta (Dec 27)
- Re: Social Engineering - information disclosing by phone Lee Lawson (Dec 27)
- Re: Social Engineering - information disclosing by phone jc (Dec 28)
- Re: Social Engineering - information disclosing by phone ArcSighter Elite (Dec 29)
- Pen-Testing SAP yelukati mahendra (Dec 31)
- Re: Pen-Testing SAP Augusto Pereyra (Dec 31)