LPTv4 module 26 social engineering penetration testing

Reproduction is Strictly Prohibited 10 • Attempt social engineering by desktop information... Steps in Conducting Social Engineering Penetration Test cont’d11 • Attempt social engineeri

ECSA/ LPT

Social En gin eerin g

P t ti T ti Pen etration Testin g

Penetration Testing Roadmap

Start Here

Firewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social Engineering

Penetration Testing

Penetration Testing Roadmap

Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held Device

Penetration Testing

Telecommunication And Broadband Communication

Email Security

Penetration Testing

Security Patches

Penetration Testing

What is Social Engineering?

The term social engineering is used to describe the various tricks used

to fool people (employees, business partners, or customers) into

voluntarily giving away information that would not normally be known

to the general public

Examples:

• Names and contact information for key personnel

• System user IDs and passwords

• Proprietary operating procedures

Requirements of Social

Engineering

Be patient when you make several phone calls to a person to

gather sensitive information.

Appear to be confident so that people will believe you.

Develop trust of the target person by using mirror techniques.

Have knowledge while gathering the details of an person to whom you are contacting at a company.

Steps in Conducting Social Engineering Penetration Test

1 • Attempt social engineering techniques using phone

2 • Attempt social engineering by vishing

3 • Attempt social engineering by telephone

4 • Attempt social engineering using email

5 • Attempt social engineering by using traditional mail

i l i i i

6 • Attempt social engineering in person

7 • Attempt social engineering by dumpster diving

I id li

8 • Insider accomplice

9 • Attempt social engineering by shoulder surfing

• Attempt social engineering by desktop information

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

10 • Attempt social engineering by desktop information

Steps in Conducting Social Engineering Penetration Test (cont’d)

11 • Attempt social engineering by extortion and blackmail

12 • Attempt social engineering using websites

13 • Attempt identity theft and phishing attacks

14 • Try to obtain satellite imagery and building blue prints

15 • Try to obtain the details of an employee from social networks sites

16 • Use a telephone monitoring device to capture conversation

17 • Use video recording tools to capture images

18 • Use vehicle/asset tracking system to monitor motor vehicles

19 • Identify “disgruntled employees” and engage in conversation to extract sensitive information

• Document everything

Before you Start

Print business cards of a bogus companyg p y

Make sure you have email ID printed on your business card, e.g

jdownes@insuranceusa.com

Buy clothes that are need for the social engineering attacks, e.g fireman

uniform

Print bogus ID cards

Setup a bogus website for the company you represent

Register a new number for your mobile phone that will be used in the

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Register a new number for your mobile phone that will be used in the

social engineering attack

Dress Like a Businessman

Dress like a businessman; wear a tie and a

e pensi e s it

Carry a briefcase

Your attire should command great respect

You are judged by how good you look

Wear glasses to look more intelligent

Step 1: Attempt Social Engineering

Techniques Using Phone

Call the company’s help desk and ask for sensitive information

Call the receptionist, engage in conversation and extract various contact details of the company

Make it look realistic – rehearse many times before you make the call

Have backup answers for every question you throw at the target person

Record the conversation – reporting purposes

“Hi, this is Jason, the VP of sales I'm at the New York branch today and I can't remember my password The machine in my home office

has that 'Remember password' set, so it's been months since I actually had to enter it Can you tell me what it is, or reset it or

something? I really need to access this month's sales reports ASAP."

"Hi, this is Joanna at the Boston branch I'm the new LAN administrator and my boss wants this done before he gets back from London

Do you know how I can:

Configure our firewall to have the same policies as corporate?

Download the latest DNS entries from the corporate DNS server to our local server?

Run a transaction on a remote file and print server using a Shell command?

Back up the database to our off-site disaster recovery location?

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Locate the IP address of the main DNS server?

Set up a backup dial-up connection to the corporate LAN?

Connect this new network segment to the corporate intranet?"

Step 2: Attempt Social Engineering by Vishing

Use the vishing technique and pose as an employee of legitimate

i enterprise

Trick the users and gather their personal sensitive information

Look for the following:

• Payment card information

• PIN (Personal Identification Number)

Look for the following:

Step 3: Attempt Social Engineering by Telephone

Three common techniques to perform

• Pose like a disgruntled customer.

social engineering using telephone are:

• Act as a logging helper.

• Appear as a technical support member.

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 4: Attempt Social Engineering Using Email

Create a webpage that spoofs the

company’s identity

Send an email to someone in the

company to visit

http://x.x.x.x/login.asp? And ask

them to re-login to activate the

server upgrade

Make the email look legitimate and

real (company fonts, colors, logo,

etc.)

Step 4: Attempt Social Engineering Using Email (cont’d)

Send sweepstake (like lottery, gifts) information to users and ask them

to provide their name, email ID, password, and address through online

form

Another way to obtain information online is by sending mails to users

and requesting them to provide password by posing yourself as a

Step 4: Attempt Social Engineering Using Email (cont’d) Engineering Using Email (cont d)

"You have been specially selected "

"You have won "

"A new car! A trip to Hawaii! $2,500 in cash!"

"Yours, absolutely free! Take a look at our "

"Your special claim number lets you "

"All you pay is postage, handling, taxes ”

Email Spoof: Screenshot 1

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Email Spoof: Screenshot 2

Email Spoof: Screenshot 3

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 5: Attempt Social Engineering

by Using Traditional Mail

Send “snail” mail letters to selected employees of the target company

Example:

Make the letter look real so that people fall for the scam

• Congratulations, you've been preapproved for a holiday to

London (all expenses paid) To claim your gift, please complete the enclosed circulation survey and return it to us at Green Apple

Example:

the enclosed circulation survey and return it to us at Green Apple Travel Services.

• If you accept this offer by 3/4/2004, we will also send you a

complementary American Express leather wallet.

Email

Fake prize letter offering holiday

trip in exchange for survey

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 6: Attempt Social Engineering in Person

Visit the physical facility and attempt social engineering techniquesp y y p g g q

Rehearse what you are going to say

Dress appropriately – for example if you are going to spoof as fireman

then you better wear those uniforms and speak like them

"Hi I' J h B I' ith th t l dit A th S d

"Hi, I'm John Brown I'm with the external auditors Arthur Sanderson We've been told by corporate to do a surprise inspection of your

disaster recovery procedures Your department has 10 minutes to

show me how you would recover from a website crash "

show me how you would recover from a website crash.

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

"Hi, I'm Sharon, I'm a sales rep out of the New

York office I know this is short notice, but I

have a group of perspective clients out in the

car that I've been trying for months to get to

outsource their security training needs to us

They're located just a few miles away and I

think that if I can give them a quick tour of

our facilities it should be enough to push

them over the edge and get them to sign up

Oh yeah, they are particularly interested in

what security precautions we've adopted

Seems someone hacked into their website a

while back, which is one of the reasons

they're considering our company." y g p y

"Hi I'm with Aircon Express Services We Hi, I m with Aircon Express Services We

received a call that the computer room was

getting too warm and need to check your

HVAC system." Using professional- y g p f

sounding terms like HVAC (Heating,

Ventilation, and Air Conditioning) may

add just enough credibility to an intruder's

masquerade to allow him or her to gain

access to the targeted secured resource.

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 7: Attempt Social Engineering by Dumpster Diving

The term dumpster diving is used to describe searching disposal areas

for information that has not been properly destroyed

Many organizations utilize hotel conference rooms or other unsecured

facilities to conduct brainstorming sessions.

Once the session is complete, no one considers wiping down the

whiteboards used to record the output of the meeting

Steps for Dumpster Diving

Collect trash cans and paper binsp p

Trash can be looked up inside the office or outside

Step 8: Insider Accomplice

A developer building a Trojan horse or time bomb into a web

application (especially if the developer is a short-term consultant)

A DBA adding some attacker-friendly stored procedures to the

production database

A webmaster installing a backdoor or rootkit on the web server

A network engineer making an illicit copy on a production server's

entire hard drive

Step 8: Insider Accomplice

(cont’d)

A system administrator forgetting to install an operating system security

hpatch

A value-added retailer (VAR) installing a firewall and leaving the

manufacturer's default maintenance account active

An engineer from the local utility company attaching a network sniffer

Using social engineering techniques befriend someone inside the

company and try turning them into an accomplice

This could be achieved by:

• Bribing

• Becoming involved in a personal relationship

This could be achieved by:

Becoming involved in a personal relationship

• Helping the person by understanding his needs

• Exchange for movie tickets, football games, etc

• Handing out gifts such as handphones.g g p

Step 9: Attempt Social Engineering by Shoulder Surfing

Shoulder surfing is a process of overlooking someone's shoulder in

order to gather password or a PIN code and other critical information

Perform the following:

order to gather password or a PIN code and other critical information

• Gaze into some one’s password or PIN code with the help of binoculars or a low-power telescope

• Coat the keypad with a thin painted ultraviolet material so that you can view the key or PIN entered by the user

• Listen to the keystrokes while a user types a password so that you can judge the number of characters the user’s password contains

• Listen to the telephone keypad when a user dials a PIN to determine the PIN code from the sounds of Dual Tone Multi Frequency tones

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 10: Attempt Social Engineering

Use computer’s cache file and gather all recent passwords, websites

visited, and cookies which are used to exploit the user’s network access

Perform desktop social engineering during the office hours when the

employees are in the office, but away from their system

Check for the employees who never lock their draw and keep their files

and papers on their desk through which sensitive information like user

name, password, and so on can be gathered easily

name, password, and so on can be gathered easily

Step 11: Attempt Social Engineering

by Extortion and Blackmail

You can attempt blackmail and extortion if your penetration testing

contracts allow it

contracts allow it

This type of pen-test might invoke local police authorities if not handled

correctly

The management and the IT team should be aware of every step in this

experiment

I d b dl b f i Y

Call an employee and threaten him like:

• I was treated very badly because of your customer service You

John Stevens, as a support engineer, you have violated US environmental act 345, 222,563, I will be initiating a lawsuit against you as a person and your firm and report the breeches to the US environmental agency unless

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

the US environmental agency unless……

Step 12: Attempt Social Engineering Using Websites

Use fake sites to redirect the employees to give out passwords and

other sensitive information

other sensitive information

Step 13: Identity Theft and

Phishing Attacks

Attempt identity theft using employees’ company IDs.

Attempt phishing attacks on company employees and see if

you can deceive them.

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 14: Try to Obtain Satellite Imagery and Building Blue Prints

This will help you to locate doors, windows, and exits at the premise

You don’t have to do guess work where to go in the location

The building blueprint can be obtained from the land administration department

Company Blue Print

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Step 15: Try to Obtain the Details of an Employee from Social Networks Sites

Visit social network websites:

Gather the details of employee from the communities that are available

in the social network sites

Social Networks Websites:

Step 16: Use Telephone Monitoring Device to Capture Conversation

Illegal tie-up with authorized federal agencies may allow t o engage

i i

in wiretaps

Sensitive information can revealed by illegal recorded phone calls

without the other party's consent as evidence

Devices: Telephone recorders and call recorders

Step 17: Use Video Recording

Tools to Capture Images

This will help you to capture the streaming p y p g

video and snapshots of the victim’s computer

screen where you can capture their:

Step 18: Use Vehicle/Asset Tracking System to Monitor Motor Vehicles

RF Scout GPS Tracking System

Spy Gadgets

Use spy gadgets to get insider information of the organization

A spy camera system concealed in a decorative clock automatically records images on a removable memory card

256MB flash memory records up to 9 hours of voice via built in microphone and also holds your favorite MP3s

EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

built-in microphone and also holds your favorite MP3s.