From: Fixer (fixer907@gmail.com)
Date: Tue Feb 07 2006 - 00:00:58 EST
Erin et. al.
My responses are in-line
<SNIP>
> I'm wondering if any list members would care to
> share some actual cases where SE has been used and their methodology.
I frequently use SE or SE-like techniques when I'm running a pen-test. The
simple reason is that the relative success (or lack thereof) of SE-type
attacks is usually indicative of the organization's overall true security
awareness (as opposed to the once a year security awareness that most
employees core dump). Everyone is familiar with the
help/threat/initimidate/lost soul routines so I won't waste my time with
those.
Probably one of the best attacks that I've used is as follows:
Create a handful of CDs with some legitimate looking (but totally bogus)
data on it, an autorun script and a customized backdoor (one that on-demand
AV won't see).
Then label the CDs with some labels that will make people want to see what's
on them. Some of my favorite include:
2006 Payroll Reduction Data
<Company Name> Staff Realignment Survey Results
2007 Cost Reduction Plan
etc.
Just use your imagination. Make sure you slap CONFIDENTIAL on it once or
twice. Also use company logos, and maybe a department name. Just to be
cute I like to put something like: If Found Return to <Department Name>.
Then scatter them around public areas (breakrooms, restrooms, etc).
Typically one of two or three things will happen:
1) An employee will find it, realize "what's on it", go to their desk, slap
it in their desktop. At this point the backdoor launches and you get a
command prompt via that nifty shell that the backdoor shoveled.
2) An employee will find it, return it to the <name> department. The person
who gets it will go "what's this?" and pop it into their system. Same end
result, you just usually get access to a system with more data on it.
3) Someone finds it and takes it home to look at. Not as good, but still
useful if they happen to have a VPN connection.
Also, if you want to invest a little more time (and money) into it, register
a web site and create a simple site. My favorite is to use a "consulting
firm" that has been hired to do an "employee satisfaction survey". Of
course to get to the survey you have to enter your credentials (the same
ones you use to log on to the network). The employees take the "survey" and
the credentials are spit out however you like it. There's a number of ways
to get them to the site, but I typically just log into 25/tcp on their mail
server and send out several handfuls of spoofed messages from someone
important-sounding (usually the HR people or some such). I'm amazed at how
well that works in most cases.
> Sometimes social engineering isn't tricking someone into revealing data,
> sometimes it can be as simple as knowing they'll follow their normal
> procedures, no matter how security-conscious they may be, and exploiting
> it.
Very true. Probably the single most useful thing about SE is that it gives
you a glimpse into how the organization functions, which can be useful in
later stages of the test. Even something as simple as knowing what their
badges look like can help. It's amazing how simple it is to forge an ID
badge once you know what they look like. Ten minutes and the right hardware
and you can make yourself an "employee" of anyone from CNN to the DoD (not
to pick on them).
Personally, I think one of the reasons that some people aren't thrilled
about SE is that it's a little to "touchy-feely" for them and (as previously
noted) not "objective enough". Really though, if you just look at it in
terms of "am I able to get information that will help me further my
test/attack" then it becomes a very objective, yes/no sort of question.
-cdh
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT