Penetration Testing mailing list archives
Re: Social Engineering - information disclosing by phone
From: ArcSighter Elite <arcsighter () gmail com>
Date: Mon, 29 Dec 2008 11:07:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taras P. Ivashchenko wrote:
Hello, list! What do you thing about such step of pentest as information disclosing by phone? Yes, of course everybody watched "Hackers" with Jolie and Miller and remember moment when when some security officer told number of modem by telephone. But it's cinema and what about real life? In Penetration Testing Framework [1] we can read: Scenarios IT Department. "Hi, it's Zoe from the helpdesk. I am doing a security audit of the network and I need to re-synchronise the Active Directory usernames and passwords. This is so that your logon process in the morning receives no undue delays" If you are calling from a mobile number, explain that the helpdesk has been issued a mobile phone for 'on call' personnel. Results Contact Details - Name - Phone number - Email - Room number - Department - Role [1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html What in your opinion we can take (in pentest) from such method of S.E.? Does anybody knows Mitnick here? Please, call him =)
Well, IMHO I think Social Engineering is most valuable to the blackhat, even in that case he usually don't resort on it; for many reasons. As a part of penetration testing scenario, it may be required by the company to perform social engineering "attacks" against people that doesn't belong to the blue/white teams; to achieve the level of user knowledge present at the company. Though, I've personally been asked for this not quite often; as they're mostly interested in the technical aspects of their security infrastructure. I'm not saying social engineering is not worth; but as a part of a penetration testing, in most cases, you'll spend the time assessing the network security in the technical level. Other reason may be that in most cases people that know any kind of information that would be valuable for the pen-test, are basically instructed to not disclose such information to the outside public, and never by phone or over unencrypted channels. Maybe a user could give you an account, but the fact is that in most cases if you have no access to the network, unless you break the external layer this information is useless. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJWPXZH+KgkfcIQ8cRAhVFAJ93xc7zKggLHBFbZkR6AXUg0AqumACeOuTv HTZnF3cydF5U6WADn2Pe4Mo= =2GgZ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Social Engineering - information disclosing by phone Taras P. Ivashchenko (Dec 24)
- Re: Social Engineering - information disclosing by phone Shomiron Das Gupta (Dec 27)
- Re: Social Engineering - information disclosing by phone Lee Lawson (Dec 27)
- Re: Social Engineering - information disclosing by phone jc (Dec 28)
- Re: Social Engineering - information disclosing by phone ArcSighter Elite (Dec 29)
- Pen-Testing SAP yelukati mahendra (Dec 31)
- Re: Pen-Testing SAP Augusto Pereyra (Dec 31)