Re: Pen-Test and Social Engineering

["Fixer" <fixer907 () gmail com>]

Erin et. al.

My responses are in-line


<SNIP>
>  I'm wondering if any list members would care to
> share some actual cases where SE has been used and their methodology.


I frequently use SE or SE-like techniques when I'm running a pen-test.  The 
simple reason is that the relative success (or lack thereof) of SE-type 
attacks is usually indicative of the organization's overall true security 
awareness (as opposed to the once a year security awareness that most 
employees core dump).  Everyone is familiar with the 
help/threat/initimidate/lost soul routines so I won't waste my time with 
those.

Probably one of the best attacks that I've used is as follows:

Create a handful of CDs with some legitimate looking (but totally bogus) 
data on it, an autorun script and a customized backdoor (one that on-demand 
AV won't see).
Then label the CDs with some labels that will make people want to see what's 
on them.  Some of my favorite include:

2006 Payroll Reduction Data
<Company Name> Staff Realignment Survey Results
2007 Cost Reduction Plan
etc.

Just use your imagination.  Make sure you slap CONFIDENTIAL on it once or 
twice.  Also use company logos, and maybe a department name.  Just to be 
cute I like to put something like: If Found Return to <Department Name>. 
Then scatter them around public areas (breakrooms, restrooms, etc). 
Typically one of two or three things will happen:

1)  An employee will find it, realize "what's on it", go to their desk, slap 
it in their desktop.  At this point the backdoor launches and you get a 
command prompt via that nifty shell that the backdoor shoveled.
2) An employee will find it, return it to the <name> department.  The person 
who gets it will go "what's this?" and pop it into their system.  Same end 
result, you just usually get access to a system with more data on it.
3) Someone finds it and takes it home to look at.  Not as good, but still 
useful if they happen to have a VPN connection.


Also, if you want to invest a little more time (and money) into it, register 
a web site and create a simple site.  My favorite is to use a "consulting 
firm" that has been hired to do an "employee satisfaction survey".  Of 
course to get to the survey you have to enter your credentials (the same 
ones you use to log on to the network).  The employees take the "survey" and 
the credentials are spit out however you like it.  There's a number of ways 
to get them to the site, but I typically just log into 25/tcp on their mail 
server and send out several handfuls of spoofed messages from someone 
important-sounding (usually the HR people or some such).  I'm amazed at how 
well that works in most cases.


> Sometimes social engineering isn't tricking someone into revealing data,
> sometimes it can be as simple as knowing they'll follow their normal
> procedures, no matter how security-conscious they may be, and exploiting 
> it.


Very true.  Probably the single most useful thing about SE is that it gives 
you a glimpse into how the organization functions, which can be useful in 
later stages of the test.  Even something as simple as knowing what their 
badges look like can help.  It's amazing how simple it is to forge an ID 
badge once you know what they look like.  Ten minutes and the right hardware 
and you can make yourself an "employee" of anyone from CNN to the DoD (not 
to pick on them).

Personally, I think one of the reasons that some people aren't thrilled 
about SE is that it's a little to "touchy-feely" for them and (as previously 
noted) not "objective enough".  Really though, if you just look at it in 
terms of "am I able to get information that will help me further my 
test/attack" then it becomes a very objective, yes/no sort of question.

-cdh 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------