Penetration Testing mailing list archives
Re: Pen-Test and Social Engineering
From: Leif Ericksen <leife () dls net>
Date: Thu, 09 Feb 2006 09:09:20 -0600
But of course I left many items off I was just trying to hit the highlights. ;) So how many other folks on this list are seeing this as a possible old farts VS Young bucks train of thought? The old farts want to use finesse and grace using a calculated approach and "hack" at the problem until they are given a solution while the young bucks seem to want some sort of covert operation come in guns a blazing dropping out of the ceiling as depicted in the Hollwe oops.. Hollywood movies that we see these days. War Games VS Hackers VS Bond VS Matrix?. No offense intended here but we should stay on focus with a securityfocus mind here. It takes a special type of person to be a social engineer, after all for those that can get discovery channel and watch dirty jobs every watch the episode that reveals that the Septic Tank Tech was a psychologist prior to the tank technician and was tired of other peoples crap so he started a new job. IMHO: In essence a SE is part Psychologist, part Telephone Psychic that uses cold leading tactics to get information, part very personable. This person is able read people (in person or over the phone) and has the ability to detect any subtleties that would lead them to be able to find the information they need. Should SE be part of a pen-test I would say yes. Normally the weakest link in any security system is the HUMAN element and without social engineering you will not find that weak link! Now if that SE is going to be on site, the person doing the SE would need to be protected, as well as know what boundaries are. Now this detailed plan should not include information that would actually reveal a weakness in itself unless of course the company would normally give that information out to anybody that asked, and not just the pen-test team. much thought and attention to details is required! I could go on but I will stop here. On Wed, 2006-02-08 at 22:46 +0100, Volker Tanger wrote:
Greetings! On Wed, 08 Feb 2006 08:55:52 -0600 Leif Ericksen <leife () dls net> wrote:SHORT AND SWEET: IMHO, a good pen-test will have a contract that dictates 1) Name of the company being tested and people that will be testing. 2) Any forbidden access methods. 3) Any forbidden tactics DOS/or even a shutdown of the server (Real hackers will not care if they shutdown or DOS a server.) 4) Time of the attacks. (start/end date start/end time) (Real hackers will not care about time.) 5) Maybe all telephone numbers owned by the company for a war-dial list. But this might not be shared with the whole team. If a modem is found a weakness is noted, and the actual intrusion team would have to find modems with SE or other methods. 6) If the team is going to be on premise can they enter restricted areas or are they only allowed to test the door to see if it is open.Most important: contacts (esp. phone numbers!) of all people involved! 7a) contact details of pen testers where the client can contact them during the test in case something goes wrong. I once wardialed a client who was not aware that his telephone system relayed each and every non-valid number and/or service to the front desk. 50.000 numbers dialed where only 20% were connected. 4 wardialers each running at 30second intervals. Effectively DoSed the client telephone-wise... 7b) contact (and authority) details of the client. Especially when doing physical assessment. Police usually won't take a "Dunno" as valid legitimation for trespassing... 7c) Who is allowed to know and who not (e.g. for a pentest with simultaneous readiness/performance test of the IDS/FW/network staff). Bye Volker
-- Leif Ericksen <leife () dls net> ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)
- Re: Pen-Test and Social Engineering Leif Ericksen (Feb 09)
- Re: Pen-Test and Social Engineering Neil (Feb 07)