Penetration Testing mailing list archives
Social Engineering - information disclosing by phone
From: "Taras P. Ivashchenko" <naplanetu () gmail com>
Date: Wed, 24 Dec 2008 23:34:33 +0300
Hello, list! What do you thing about such step of pentest as information disclosing by phone? Yes, of course everybody watched "Hackers" with Jolie and Miller and remember moment when when some security officer told number of modem by telephone. But it's cinema and what about real life? In Penetration Testing Framework [1] we can read: Scenarios IT Department. "Hi, it's Zoe from the helpdesk. I am doing a security audit of the network and I need to re-synchronise the Active Directory usernames and passwords. This is so that your logon process in the morning receives no undue delays" If you are calling from a mobile number, explain that the helpdesk has been issued a mobile phone for 'on call' personnel. Results Contact Details - Name - Phone number - Email - Room number - Department - Role [1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html What in your opinion we can take (in pentest) from such method of S.E.? Does anybody knows Mitnick here? Please, call him =) -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds
Attachment:
_bin
Description:
Current thread:
- Social Engineering - information disclosing by phone Taras P. Ivashchenko (Dec 24)
- Re: Social Engineering - information disclosing by phone Shomiron Das Gupta (Dec 27)
- Re: Social Engineering - information disclosing by phone Lee Lawson (Dec 27)
- Re: Social Engineering - information disclosing by phone jc (Dec 28)
- Re: Social Engineering - information disclosing by phone ArcSighter Elite (Dec 29)
- Pen-Testing SAP yelukati mahendra (Dec 31)
- Re: Pen-Testing SAP Augusto Pereyra (Dec 31)