lptv4 module 26 social engineering penetration testing_norestriction

ECSA/LPT

EC Council Mod le XXVIEC-Council Module XXVI

Social Engineering P t ti T tiPenetration Testing

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here

Communication Penetration Testing

gPenetration Testing

Penetration Testing

What is Social Engineering?

The term social engineering is used to describe the various tricks usedto fool people (employees, business partners, or customers) intovoluntarily giving away information that would not normally be knownto the general public.

Examples:

• Names and contact information for key personnel• System user IDs and passwords• Proprietary operating procedures

C t fil• Customer profiles

Requirements of Social Engineering Engineering

Be patient when you make several phone calls to a person to gather sensitive information.

Appear to be confident so that people will believe you.

Develop trust of the target person by using mirror techniques.

Have knowledge while gathering the details of an person to whom you are contacting at a company.

Steps in Conducting Social Engineering Penetration TestEngineering Penetration Test

1 • Attempt social engineering techniques using phone

2 • Attempt social engineering by vishing

3 • Attempt social engineering by telephone

4 • Attempt social engineering using email

5 • Attempt social engineering by using traditional mail

i l i i i6 • Attempt social engineering in person

7 • Attempt social engineering by dumpster diving

I id li8 • Insider accomplice

9 • Attempt social engineering by shoulder surfing

• Attempt social engineering by desktop information

10 • Attempt social engineering by desktop information

Steps in Conducting Social Engineering Penetration Test (cont’d)Engineering Penetration Test (cont d)

11 • Attempt social engineering by extortion and blackmail

12 • Attempt social engineering using websites

13 • Attempt identity theft and phishing attacks

14 • Try to obtain satellite imagery and building blue prints

15 • Try to obtain the details of an employee from social networks sites

16 • Use a telephone monitoring device to capture conversation

17 • Use video recording tools to capture images

18 • Use vehicle/asset tracking system to monitor motor vehicles

19 • Identify “disgruntled employees” and engage in conversation to extract sensitive information

20 • Document everything

Before you Start

Print business cards of a bogus companyg p y

Make sure you have email ID printed on your business card, e.g jdownes@insuranceusa.comj @

Buy clothes that are need for the social engineering attacks, e.g fireman uniform

Print bogus ID cards

Setup a bogus website for the company you represent

Register a new number for your mobile phone that will be used in the

Register a new number for your mobile phone that will be used in the social engineering attack

Dress Like a Businessman

Dress like a businessman; wear a tie and a e pensi e s itexpensive suit

Carry a briefcase

Your attire should command great respect

You are judged by how good you look

Wear glasses to look more intelligent

Step 1: Attempt Social Engineering Techniques Using PhoneTechniques Using Phone

Call the company’s help desk and ask for sensitive information

Call the receptionist, engage in conversation and extract various contact details of the company

Make it look realistic – rehearse many times before you make the call

Have backup answers for every question you throw at the target person

Record the conversation – reporting purposes

“Hi, this is Jason, the VP of sales. I'm at the New York branch today and I can't remember my password. The machine in my home office has that 'Remember password' set, so it's been months since I actually had to enter it. Can you tell me what it is, or reset it or something? I really need to access this month's sales reports ASAP."

"Hi, this is Joanna at the Boston branch. I'm the new LAN administrator and my boss wants this done before he gets back from London. Do you know how I can:Do you know how I can:

Configure our firewall to have the same policies as corporate?

Download the latest DNS entries from the corporate DNS server to our local server?

Run a transaction on a remote file and print server using a Shell command?

Back up the database to our off-site disaster recovery location?

Locate the IP address of the main DNS server?

Set up a backup dial-up connection to the corporate LAN?

Connect this new network segment to the corporate intranet?"

Step 2: Attempt Social Engineering by VishingEngineering by Vishing

Use the vishing technique and pose as an employee of legitimate i enterprise

Trick the users and gather their personal sensitive informationTrick the users and gather their personal sensitive information

Look for the following:

• Payment card information• PIN (Personal Identification Number)

( )• Social insurance number• Date of birth• Bank account numbers

• Passport number

Step 3: Attempt Social Engineering by TelephoneEngineering by Telephone

Three common techniques to perform

• Pose like a disgruntled customer.A t l i h l

social engineering using telephone are:

• Act as a logging helper.• Appear as a technical support member.

Step 4: Attempt Social Engineering Using EmailEngineering Using Email

Create a webpage that spoofs the company’s identity

Send an email to someone in the company to visit http://x.x.x.x/login.asp? And ask http://x.x.x.x/login.asp? And ask them to re-login to activate the server upgrade

Make the email look legitimate and real (company fonts, colors, logo, etc.)

Step 4: Attempt Social Engineering Using Email (cont’d)Engineering Using Email (cont d)

Send sweepstake (like lottery, gifts) information to users and ask them t id th i il ID d d dd th h li to provide their name, email ID, password, and address through online form

Another way to obtain information online is by sending mails to users and requesting them to provide password by posing yourself as a network administrator

Step 4: Attempt Social Engineering Using Email (cont’d) Engineering Using Email (cont d)

"You have been specially selected..."

"You have won..."

" $ h ""A new car! A trip to Hawaii! $2,500 in cash!"

"Yours, absolutely free! Take a look at our..."

"Your special claim number lets you ..."

"All i h dli ”"All you pay is postage, handling, taxes ...”

Email Spoof: Screenshot 1

Step 5: Attempt Social Engineering by Using Traditional Mailby Using Traditional Mail

Send “snail” mail letters to selected employees of the target company

Example:

Make the letter look real so that people fall for the scam

• Congratulations, you've been preapproved for a holiday to London (all expenses paid). To claim your gift, please complete the enclosed circulation survey and return it to us at Green Apple

Example:

the enclosed circulation survey and return it to us at Green Apple Travel Services.

• If you accept this offer by 3/4/2004, we will also send you a complementary American Express leather wallet.

Example

Fake prize letter offering holiday Fake prize letter offering holiday trip in exchange for survey

Step 6: Attempt Social Engineering in PersonEngineering in Person

Visit the physical facility and attempt social engineering techniquesp y y p g g q

Rehearse what you are going to say

k i h l

Dress appropriately – for example if you are going to spoof as fireman then you better wear those uniforms and speak like them

• Sensitive information.• Contact information.

Ask questions that reveal:

Contact information.• Company policies.• IT infrastructure.• Invite the party for a drink or coffee and continue social engineering

techniques at a coffee table

techniques at a coffee table.• Establish trust.

Example

"Hi I' J h B I' ith th t l dit A th S d "Hi, I'm John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash "show me how you would recover from a website crash.

Example

"Hi, I'm Sharon, I'm a sales rep out of the New York office. I know this is short notice, but I have a group of perspective clients out in the car that I've been trying for months to get to outsource their security training needs to us outsource their security training needs to us.

They're located just a few miles away and I think that if I can give them a quick tour of our facilities it should be enough to push our facilities, it should be enough to push them over the edge and get them to sign up.

Oh yeah, they are particularly interested in what security precautions we've adopted what security precautions we ve adopted. Seems someone hacked into their website a while back, which is one of the reasons they're considering our company."

y g p y

Example

"Hi I'm with Aircon Express Services We Hi, I m with Aircon Express Services. We received a call that the computer room was getting too warm and need to check your HVAC system." Using professional-y g p fsounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured resource.

Step 7: Attempt Social Engineering by Dumpster DivingEngineering by Dumpster Diving

The term dumpster diving is used to describe searching disposal areas The term dumpster diving is used to describe searching disposal areas for information that has not been properly destroyed.

M i ti tili h t l f th d Many organizations utilize hotel conference rooms or other unsecured facilities to conduct brainstorming sessions.

Once the session is complete, no one considers wiping down the whiteboards used to record the output of the meeting.

Steps for Dumpster Diving

Collect trash cans and paper binsp p

Trash can be looked up inside the office or outside the buildingthe building

• Sensitive documents.• Customer contacts.• Email messages.

h d• Purchase orders.• Appointments.• Schedules.• Envelope addresses

• Envelope addresses.• Post-it notes.

Step 8: Insider Accomplice

A developer building a Trojan horse or time bomb into a web application (especially if the developer is a short-term consultant)

A DBA adding some attacker-friendly stored procedures to the A DBA adding some attacker-friendly stored procedures to the production database

A webmaster installing a backdoor or rootkit on the web server

A network engineer making an illicit copy on a production server's entire hard drive

Step 8: Insider Accomplice (cont’d)(cont d)

A system administrator forgetting to install an operating system security hpatch

A value-added retailer (VAR) installing a firewall and leaving the f ' d f l i imanufacturer's default maintenance account active

An engineer from the local utility company attaching a network sniffer LANto a LAN

A member of the cleaning crew retrieving any useful-looking post-its f h ' bifrom the computer room's wastepaper bin

Accomplice

Using social engineering techniques befriend someone inside the company and try turning them into an accomplice

This could be achieved by:

• Bribing.• Becoming involved in a personal relationship.

This could be achieved by:

Becoming involved in a personal relationship.• Helping the person by understanding his needs.• Exchange for movie tickets, football games, etc.• Handing out gifts such as handphones.g g p

Step 9: Attempt Social Engineering by Shoulder SurfingEngineering by Shoulder Surfing

Shoulder surfing is a process of overlooking someone's shoulder in order to gather password or a PIN code and other critical information

Perform the following:

order to gather password or a PIN code and other critical information.

• Gaze into some one’s password or PIN code with the help of binoculars or a low-power telescope

• Coat the keypad with a thin painted ultraviolet material so that you • Coat the keypad with a thin painted ultraviolet material so that you can view the key or PIN entered by the user

• Listen to the keystrokes while a user types a password so that you can judge the number of characters the user’s password contains

• Listen to the telephone keypad when a user dials a PIN to determine the PIN code from the sounds of Dual Tone Multi Frequency tones

Step 10: Attempt Social Engineering by Desktop Informationby Desktop Information

Check for the desktop system that is not locked by the user and hack the i h ll i i d i h f h d h h system with all permissions and access rights of the user and gather the

sensitive information.

Use computer’s cache file and gather all recent passwords, websites visited, and cookies which are used to exploit the user’s network access.

Perform desktop social engineering during the office hours when the employees are in the office, but away from their system.

Check for the employees who never lock their draw and keep their files and papers on their desk through which sensitive information like user name, password, and so on can be gathered easily.

name, password, and so on can be gathered easily.

Step 11: Attempt Social Engineering by Extortion and Blackmailby Extortion and Blackmail

You can attempt blackmail and extortion if your penetration testing contracts allow itcontracts allow it.

This type of pen-test might invoke local police authorities if not handled correctly.

The management and the IT team should be aware of every step in this experiment.

I d b dl b f i Y

Call an employee and threaten him like:

• I was treated very badly because of your customer service. You John Stevens, as a support engineer, you have violated US environmental act 345, 222,563, I will be initiating a lawsuit against you as a person and your firm and report the breeches to the US environmental agency unless

the US environmental agency unless……

Step 12: Attempt Social Engineering Using WebsitesEngineering Using Websites

Use fake sites to redirect the employees to give out passwords and other sensitive informationother sensitive information.

Step 13: Identity Theft and Phishing AttacksPhishing Attacks

Attempt identity theft using employees’ company IDs.

Attempt phishing attacks on company employees and see if you can deceive them.

Step 14: Try to Obtain Satellite Imagery and Building Blue PrintsImagery and Building Blue Prints

This will help you to locate doors, windows, and exits at the premise

You don’t have to do guess work where to go in the location

The building blueprint can be obtained from the land administration department

Company Blue Print

Step 15: Try to Obtain the Details of an Employee from Social Networks SitesEmployee from Social Networks Sites

Visit social network websites:

• www.orkut.com• www.facebook.com

hi• www.hi5.com• www.myspace.com

Gather the details of employee from the communities that are available in the social network sites

Social Networks Websites: ScreenshotsScreenshots

Step 16: Use Telephone Monitoring Device to Capture ConversationDevice to Capture Conversation

Illegal tie-up with authorized federal agencies may allow t o engage i iin wiretaps

Sensitive information can revealed by illegal recorded phone calls i h h h ' idwithout the other party's consent as evidence

Devices: Telephone recorders and call recorders Devices: Telephone recorders and call recorders

Step 17: Use Video Recording Tools to Capture ImagesTools to Capture Images

This will help you to capture the streaming p y p gvideo and snapshots of the victim’s computer screen where you can capture their:

• Passwords. • Credentials .• Personal information.

Tools: Digital Video Recorder and Quick Screen Recorder

Step 18: Use Vehicle/Asset Tracking System to Monitor Motor Vehicles System to Monitor Motor Vehicles

Covert tracking system that screens vehicles location via global g y gpositioning system

Devices that locate the approximate area of

• Pro Trak GPS • RF Scout GPS Tracking System

ppthe trailer:

RF Scout GPS Tracking System

Spy Gadgets

Use spy gadgets to get insider information of the organization.

A spy camera system concealed in a decorative clock automatically records images on a removable memory card

py g g g g

automatically records images on a removable memory card upon Video Motion Detection.

A micro camera so small it can sit on a dime with room left A micro camera so small it can sit on a dime with room left over. This black and white CMOS camera weighs just 0.9g without the cable, is 8mm X 8mm X 8mm draws just 15mA, and consumes a minuscule 7 to 12 VDC.

256MB flash memory records up to 9 hours of voice via built in microphone and also holds your favorite MP3s

built-in microphone and also holds your favorite MP3s.

Step 19: Identify “Disgruntled Employees” and Engage in Conversation to Extract Sensitive

Information Information

Identify disgruntled employees by overhearing conversation in the company cafeteria

Befriend him and express similar views about the company to extract the following information:

company cafeteria.

• Company policies and IT infrastructure• Work place address and contact address

P l i f i

co pa y to e t act t e o o g o at o :

• Personal information• Bank accounts and credit card numbers• Organization computer network details• Organization policies• Organization policies• Organization structure• Organization functions• Organization future projects

g p j• Organization employee details

Step 20: Document Everything

Document your results and findings:

• Name and employee ID• Official email ID and passwords• Personal email ID and passwordsp• Social security number and designation• Workplace address and contact address• Personal information• Bank accounts and credit card numbers• Organization computer network details• Organization policies• Organization structure• Organization functions• Organization future projects

• Organization employee details

lptv4 module 26 social engineering penetration testing_norestriction

Documents

bitumina - bitumen penetration grade 60 70- …€¦ ·...

lptv4 module 22 ids penetration testing_norestriction

market penetration and acquisition strategies for...

lptv4 module 25 password cracking penetration...

penetration testing - perspective risk · pdf filea provider...

lptv4 module 31 voip penetration testing_norestriction

lptv4 module 43 penetration testing report and documentation...

penetration test

lptv4 module 47 standards and compliance

lptv4 module 20 router and switches penetration...

penetration mechanism of partial penetration electron beam...

droplet impact and penetration onto … · droplet impact...

unit i site investigation and selection of foundation ·...

lptv4 module 33 wardialing

lptv4 module 39 email security penetration...

lptv4 module 27 stolen laptop, pdas and cell phones...

lptv4 module 40 security patches penetration testing

lptv4 module 24 denial of service penetration...

field cone penetration tests with various penetration rates...

lptv4 module 12 customers and legal agreements