social engineering
DESCRIPTION
Learn about Human Hacking and the Art of social engineering. Learn a general overview of what is possible through some simple tools both technical and non-technical in nature. This presentation is aimed at educating the viewer into being more aware of what information they may be giving out even without knowing about it.TRANSCRIPT
SOCIAL ENGINEERINGTHE HUMAN HACK
By: Lance Howell
A LITTLE ABOUT ME… VERY LITTLE.
•36 years old
•BS in Information Systems
Security
•Interests: Information
Security, Linux, web
development, and general
hacking
•Web Site: www.tech-
heaven.net
WHAT DO YOU THINK OF
L
iar
C
onman/Conartist
C
riminal
P
oliticians
A
ctor
P
erformer (Magician, Hypnotist, Comedian, etc)
STEPS OF AN ATTACKI
nformation Gathering
E
licitation
P
re-texting
I
nfluencing Others• Reciprocation• Scarcity• Authority• Commitment and Consistency• Liking• Consensus or Social Proof
PSYCHOLOGICAL PRINCIPLES TO STUDY
M
odes of Thinking
E
ye Cues
M
icro-Expressions
N
euro-Linguistic Programming (NLP)
I
nterview and Interrogation
E
stablish Rapport with the Person
MICROEXPRESSIONS
T
he small facial expressions and body language
that can be used to tell what a person is really
thinking or what they are feeling about the
conversation.
EXAMPLES OF MICROEXPRESSIONS
ANGER
1. Eyebrows are down and together.
2. Eyes glare.
3. Narrowing of lips.
CONTEMPT
1. Lip corner tight and raised on one side of face.
DISGUST
1. Narrowed eyes.
2. Wrinkled nose
3. Parted mouth
SAD
1. Creased forehead.
2. Eyes loosing focus.
3. Downturned mouth.
4. Wavering chin
FEAR
1. Raised eyebrows and pulled together.
2. Wide-open eyes.
3. Tensed lower eyelids.
4. Parted lips. Lips slightly stretched.
COMPUTER-BASED TOOLS
M
altego 3.0
M
altego Mesh: Firefox Plug-in (No longer supported or updated)
S
ocial Engineering Toolkit (SET): Good for E-Mail Based Attacks and Phishing
C
ommon User Password Profiler (CUPP)
C
ree.py BRAND NEW
MALTEGO 3.1
C
ommunity Edition vs. Commercial Edition
W
orks on Windows, MAC and Linux
P
rovides a graphical way to do several Linux
commands
MALTEGO MASHWHY USE IT???
F
ree
H
elps you find information quickly within a large page (no need to read an
entire blog that’s long to find an email address
Q
uickly search on facebook with email addresses instead of having to
browse to each site.
N
ot being developed anymore.
DEMONSTRATION OF MALTEGO 3
SOCIAL ENGINEERING TOOLKIT (SET)
T
ool designed to perform advanced attacks against a person or organization used
during a penetration test.
U
nder constant development (Be sure to update SET every couple of days) Current
Version 3.3
C
onfigure set_config file.
N
ew version includes a web GUI
T
raditional interface is an interactive menu driven interface
TYPES OF ATTACK VECTORS
SHODANHTTP://WWW.SHODANHQ.COM/
S
earch Engine for connected machines.
S
earch for computers that is connected to the
internet based on city, country, latitude/longitude,
hostname, operating system and IP
DEMONSTRATION OF SHODAN
CREE.PY ISN’T IT
Retrieves information from Twitter as well as Flickr
Gather geolocation data from flickr, twitpic.com,
yfrog.com, img.ly, plixi.com, twitrpix.com,
foleext.com, shozu.com, pickhur.com, moby.to,
twitsnaps.com, and twitgoo.com
Download it from
http://ilektrojohn.github.com/creepy/
DEMONSTRATION OF CREE.PY
CLOSING COMMENTS
W
ays to protect yourself against attacks
M
ore resources to further your knowledge and
education
WAYS TO PROTECT YOURSELF
E
ducate yourself and your staff on proper procedures when answering the
phone, e-mail, and questioning people.
D
o Not Click On Links in e-mails.
H
ave training in social engineering techniques. (Even a newsletter is better
than nothing)
Q
uestion people in your building that you do not know especially if the
building is not open to the public.
ADDITIONAL RESOURCES
w
ww.social-engineer.org
w
ww.offensive-security.com/metasploit-unleashed/
w
ww.secmaniac.com
S
ocial Engineering: The Art of Human Hacking by Chris Hadnagy
N
o Tech Hacking by Johnny Long
G
oogle Hacking by Johnny Long