Penetration Testing mailing list archives

Re: Pen-Test and Social Engineering

From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Mon, 6 Feb 2006 10:00:11 -0800 (PST)

In a real scenario, when some attacker wants to gain
access and there is a option to ask the passwords from
employees, then why to spend time in understanding,
scanning and exploiting the infra. Same way if an
attacker can enter the premises of Target Company then
why to waste time in asking the password and
downloading the data. Wherein attacker can enter into
premises, detach the hard disk and take that away.
Looks crazy but thats possible if the value of that
data in hard drive is known to attacker. Another
option suggested by KK about putting a wireless AP in
LAN and then roaming in target network by connecting
through laptop and sitting in car from parking area. 

In any of above-mentioned attacks, network and threats
didnt even come into picture and company might face
huge information/reputation/financial loss. And social
engineering is an easy option to attack a network no
problem of IDS, no fear of being tracked by log
analysis while attacking. Some attackers try to take
out the information of network and internal devices by
calling the IT staff and pretending like a sales guy
who is trying to sell a log analyzer or IDS. There are
many other tricky options to utilize social
engineering.

But yes there is an equal importance to security
health check of servers/network devices. You cant
rely by securing yourself from only one of attacking
scenario (Social engineering, Network threats). You
need to protect yourself both of the attacks.

Many companies educate their employees about social
engineering attacks including their front desk
officers, office boys, security guards etc. Moreover,
companies got policies in place about sharing of
credentials by employees. And companies get those
policy documents signed from their employees.
Including social engineering in pen-test one can
understand that the training that was provided to
employees didnt go waste and employees are still in
compliance. 


cheers!
-D


--- Ratna Kumar <ratnakumarch () visualsoft-tech com>
wrote:

Hi All,

I agree with you all,but  social engineering is a
altogether a different 
game.
It is possible to exploit an individual provided
there is a threat on the 
target network?
PT results can be used to build Social Engineering
??


Thank you,

Regards,
Ratna Kumar
----- Original Message ----- 
From: "Michael Mooney" <wolfiroc () earthlink net>
To: <burzella () inwind it>;
<pen-test () securityfocus com>
Sent: Monday, February 06, 2006 12:02 AM
Subject: RE: Pen-Test and Social Engineering

Most certainly.  Social engineering is an

excellent way of doing a recon

of
your target.  It's amazing that, despite all the

press and warning, people

will still "give up" the information requested if

you sound official or

appear to be helping them.  Human nature, but

human nature can help you

identify what can "kill" the system.

[Original Message]
From: <burzella () inwind it>
To: <pen-test () securityfocus com>
Date: 2/5/2006 1:02:07 PM
Subject: Pen-Test and Social Engineering

Hi
In yuor opinion, can a Social Engineering test be

considered part of a

Pen-Test?


Thanks

----------------------------------------------------------------------------

--

Audit your website security with Acunetix Web

Vulnerability Scanner:


Hackers are concentrating their efforts on

attacking applications on your

website. Up to 75% of cyber attacks are launched

on shopping carts,

forms,

login pages, dynamic content etc. Firewalls, SSL

and locked-down servers

are

futile against web application hacking. Check

your website for

vulnerabilities

to SQL injection, Cross site scripting and other

web attacks before

hackers do!

Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

----------------------------------------------------------------------------

---

------------------------------------------------------------------------------

Audit your website security with Acunetix Web

Vulnerability Scanner:


Hackers are concentrating their efforts on

attacking applications on your

website. Up to 75% of cyber attacks are launched

on shopping carts, forms,

login pages, dynamic content etc. Firewalls, SSL

and locked-down servers

are
futile against web application hacking. Check your

website for

vulnerabilities
to SQL injection, Cross site scripting and other

web attacks before

hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

-------------------------------------------------------------------------------

------------------------------------------------------------------------------

Audit your website security with Acunetix Web
Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking
applications on your 
website. Up to 75% of cyber attacks are launched on
shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are 
futile against web application hacking. Check your
website for vulnerabilities 
to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

-------------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering Petr . Kazil (Feb 05)
- Re: Pen-Test and Social Engineering Louis Lerman (Feb 05)
- Re: Pen-Test and Social Engineering Fixer (Feb 05)
- Re: Pen-Test and Social Engineering Sysmin Sys73m47ic (Feb 05)
- Re: Pen-Test and Social Engineering Serg Belokamen (Feb 05)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
  - Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
    - Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
    - RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
  - Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
  - RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
    - Re: Pen-Test and Social Engineering Fixer (Feb 06)
    - Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
    - RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
    - RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
    - Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)

(Thread continues...)