"Hair is the first thing. And teeth the second. Hair and teeth. A man got those two things he's got it all." -James Brown

Social Engineering CTF – How Strong Is Your Schmooze

How Strong is Your Schmooze

You are about to embark on a different type of CTF. The Social Engineering CTF will test your abilities and stretch your limits as a social engineer.  Before you sign up, read the rules clearly.

The CTF Rules

  • Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.
  • Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques.  You are prohibited from calling, emailing or contacting the company in any way before the Defcon event.  We will be monitoring this and points will be deducted for “cheating”.
  • The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector.  The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.
  • They will be sent their time slot (day/time) to perform their attack vector at Defcon. At Defcon each social engineer will be given 5 minutes to explain to the crowd what they did and what their attack vector is.
  • They are then given 20 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process.
  • A scoreboard will be kept and at the end some excellent prizes will be awarded.

1st Place – A Specially Branded 16GB iPad, Winners Plaque and a spot on the Social-Engineer.org Podcast

2nd PlaceOffensive Security Wifu Course and 2nd Place Winners Plaque

THE DO NOT LIST:

Underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage.

Items that are not allowed to be targeted at any point of the contest:

  • 1)  No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal Data
  • 2)  Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
  • 3)  No porn
  • 4)  At no point are any techniques allowed to be used that would make a target feel as if they are “at risk” in any manner. (ie. “We have reason to believe that your account has been compromised.”)
  • 5)  No targeting information such as passwords.
  • 6)  No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
  • 7)  The social engineer must only call the target company, not relatives or family of any employee
  • 8)  Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge

If at any point in the contest it appears that contestants are targeting anything on the “No” list, they will receive one warning. After the one warning they are disqualified from the contest.

Submitting Target Companies

  • Submit the urls of two companies you feel are of sufficient size to make a good target
  • Please avoid government agencies and defense contractors
  • It is NOT a given that you will receive one of the companies you suggest as your target, so recommend wisely
  • Companies must have a telephone number available in the USA for the attack to be launched at Defcon

The Flag

  • The “flag” is custom list of specific bits of information, which you will have to discover during your 20-minute phone call.The judging panel created the list, and points will be awarded for each item present on the list. This list will be presented to you on the day of the event

ALL REGISTRANTS MUST BE ATTENDING DEFCON 18 ALL 3 DAYS

    If you can comply with all the above and think you still have the skills to become the winning social engineer then register below:

    Thank you for your desire to register in the upcoming Social Engineer CTF at Defcon 18. Our registration is already filled up. Check back in case of cancellations. To be put on a waiting list email defcon -@- social-engineer DOT org


CTF Scoreboard