Penetration Testing mailing list archives
Re: Social Engineering - information disclosing by phone
From: jc <antihacker.jc () gmail com>
Date: Sun, 28 Dec 2008 13:17:56 -0800
On Dec 24, 2008, at 12:34 PM, Taras P. Ivashchenko wrote:
Hello, list!What do you thing about such step of pentest as information disclosing by phone?Yes, of course everybody watched "Hackers" with Jolie
What red-blooded male mammal could forget Jolie? Seriously now? While I can't speak for anyone else, I do know that my body aches to make child's with her...
and Miller and remember moment when when some security officer told number of modem by telephone. But it's cinema and what about real life?
In real life, you get the girl who lives with a lot of cats.
In Penetration Testing Framework [1] we can read: Scenarios IT Department."Hi, it's Zoe from the helpdesk. I am doing a security audit of the network and I need to re-synchronise the Active Directory usernames and passwords. This is so that your logon process in the morning receives no undue delays" If you are calling from a mobile number, explain that the helpdesk has beenissued a mobile phone for 'on call' personnel.
Remember, less is more. The more explaining you have to do, the greater propensity to screw it up. Why not take the phn # out of the equation by spoofing the caller ID? On sanctioned, Full-Oink SE tests, this is but one of the many tools in my black bag.
Results Contact Details - Name - Phone number - Email - Room number - Department - Role
Don't forget to do DD before the test, like simple ref. search for people in the org. Find out their corp. email naming convention...Exchange usually uses one kind, etc. Fire off some earnest emails, but use a service like ReadNotify (or roll-ur-own with self-code) to garner info about their internal ntwk. structure, who they passed the message to,
how long they read it, etc...
[1] http://www.vulnerabilityassessment.co.uk/Penetration Test.htmlWhat in your opinion we can take (in pentest) from such method of S.E.?
It's one of many methods. It usually doesn't work like the movies, i.e., unless the target has less brain power than, let's say, a school of plankton. Or Sea-Monkey's! Sea Monkey's!
Does anybody knows Mitnick here? Please, call him =)
Yeah, I'd like to know too, he still owes me $25 from 1985. -jc ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Social Engineering - information disclosing by phone Taras P. Ivashchenko (Dec 24)
- Re: Social Engineering - information disclosing by phone Shomiron Das Gupta (Dec 27)
- Re: Social Engineering - information disclosing by phone Lee Lawson (Dec 27)
- Re: Social Engineering - information disclosing by phone jc (Dec 28)
- Re: Social Engineering - information disclosing by phone ArcSighter Elite (Dec 29)
- Pen-Testing SAP yelukati mahendra (Dec 31)
- Re: Pen-Testing SAP Augusto Pereyra (Dec 31)