Volume 02 Issue 16
In this issue
A main topic lately has been the new release of the book, Social Engineering: The Art of Human Hacking. The positive reviews and feedback have been overwhelming, thank you.
Chris has been invited to try out a new type of workshop at Black Hat DC 2011, so he will be presenting the speech on "How To Hack Companies and Make Millions." This 2 hour thrill ride takes you through an actual Offensive Security Penetration Test where social engineering, tunnellling and client sides where used to completely dominate the target.
The December SE Poll is almost ended, get your vote in now!
Finally, Spy Associates continues to send us cool devices to test. Please visit their page to check out some of the coolest devices around.
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Continuum WorldWide for their support and sponsorship
Offensive Security for their continual Support. Are you looking for world class security training? Offensive Security has live classes scheudled now. Sign up before they fill up!
Editor: John 'J' Trinckes, Jr
Offensive Security Live classes constantly sell out - register early to make sure you don't miss out of the next class.
Email Chris anytime at firstname.lastname@example.org
Take Your Pretexting To The Next Level
We asked in our IRC channel for topic ideas and this month's topic was, in part, prompted by a great suggestion from Jaime Filson aka WiK. Thanks WiK, keep the great ideas coming!
is a stable of the social engineer, one that a professional must become
proficient at creating, using and perfecting. Yet, as social engineering is
one of the largest threats to corporations in the world today, what
responsibility does the professional social engineer have to perfect their
pretexting skills? In addition, are there certain aspects to developing your
pretext that can give you that upper edge?
What is Pretexting?
"Pretexting is defined as the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases[,] it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers can use pretexting to impersonate people in certain jobs and roles that they never them- selves have done. Pretexting is not a one-size-fits-all solution. A social engineer must develop many different pretexts over his or her career. All of them will have one thing in common: research. Good information gathering techniques can make or break a good pretext. For example, mimicking the perfect tech support rep is useless if your target does not use outside support." - Social Engineering: The Art of Human Hacking 2011
In one case, we had a goal to compromise a company and steal corporate secrets. This would require us to have a very strong rapport and a serious relationship with the targets. The targets were well guarded, used to being attacked, and ready for most common social engineering tactics. We had to think outside the box and be able to really use some serious pretexting tactics to make this work. The following are some of the tactics we used to make sure the pretext was solid.
If you overdress, or under dress, you can become disconnected
from your target. If your target is a blue collar worker and you dress in a 3
piece Armani suit, it can be uncomfortable for the target. Thinking out all
these details is very important to the success of the pretext. Especially
when it comes to items that you might need to plan for. In this case, we
required a car that would support our pretext of being high level management
and required us to not pull up in my older Honda Accord. Renting a car that
fit my pretext was vital, finding a rental place that had the right car, and
making sure everything was in place took some planning too.
Another idea is to use Google Images. Let's say that our
character is a research
student in Harvard. This gives you results:
Analyzing these can give you a good idea about what a research student dresses like, looks like, and more.
What about Props?
First, many social engineers will over use props. They rely so heavily on props that it can easily drown out the character and cause a disconnect with the target. On the other hand, not using the proper props or the right amount can also cause this same disconnect.
For example, if your pretext is a computer tech support person and you have so many tools and gadgets it may raise some serious red flags. Whereas, coming in with no tools at all can cause a strong disconnect.
There are two other props that are often overlooked, but should be of serious concern to the professional social engineer.
The business card: It is amazing how simple this little tool is,
but how it solidifies in many people's minds that you are who you say you
are. For under $25 in the USA, you can have 100-500 decently printed business
cards made with your characters name and contact information on it.
A real contact number: In this age, disposable cell phones are so easy to obtain that every social engineer should have one. A dedicated cell phone for this character is not only important for your business card, but gives a very realistic impression. Having a real number with voicemail can make a huge difference.
Besides disposable cell phones, there are services like Numbr that, for as little as $6.99 per month, will give you a disposable number that you have forwarded to any mobile or land line.
Services like RingCentral are amazing virtual PBX services. They can create a whole virtual office with extensions, fax numbers, call forwarding, and many more real office features. If your pretext needs to be part of an office, you can have calls routed through a real PBX system then out to cell phones or land lines anywhere.
Of course, there are other little things that can make a huge difference like a valid URL and email on that business card. These little things make your pretext even more solid.
Don't Lose Focus
Don't let the details overwhelm you at first. It is OK to make mistakes. Mistakes do two things. First, they make a story real. Not many of us remember every detail and every nuance. Secondly, mistakes are great teachers. Learn from them and improve for the next time.
In the account I mentioned above, we rented a brand new car, made sure we had an expensive looking suit, and for under $200, set up an online virtual PBX system. When I had my business cards printed, they came with a toll free number and extension. This alone solidifies your believability and it worked.
Approaching the target in a relaxed atmosphere at the same gym allowed for an open conversation to start about how stressful the day was and how hard this work was going to be. Natural curiosity led the target to ask what I do for a living, which made for a realistic reason to give a card. All of these little details made for a very real environment that seemed natural with no reason to question.
A small conversation was started before the work out and then I made sure to time my completion with the target without seeming like a stalker. After we were both dressed and heading out the door, I had a chance to ask a few more questions about his work and invite him to a lunch meeting to discuss how we could help each other. Having chosen a good local restaurant and as I entered my "new" car, the pretext was so solid there was no reason to doubt me.
It is easy to rely so heavily on the details that the story loses focus too. So in the end, it is a fine balance between details and the big picture. Pretexting is an art form in itself. Mastering it can enhance your audits and your ability to notice little things that may tune you into social engineering attempts against you and your company.
Stay tuned for more next month.
Written by Christopher Hadnagy
Social Engineering in Penetration Tests
We cover a lot of aspects about social-engineering here between the newsletter, the site, podcast, and now Chris’s new book. But this month, I wanted to take a step back and talk about how the practice of social-engineering is put to use in penetration tests.
It’s common knowledge to hear about the threat of social-engineering and the damage it can do to you (or your business) to the point where I am not going to re-plow that field again. (Be sure to see the results of the latest poll “Is Social-Engineering the most dangerous threat to companies today?”) The natural question becomes: how to defend against the threat? Obviously, there is no single action that a company can take to “be defended” and it’s a question of many different efforts coming together, from security awareness training to filtering technologies, from more secure and well configured baseline templates to even the policies at a company. But once that is all in place, how do you know if these systems are working? Where do you concentrate future efforts?
The Concept of Penetration Tests
In its purest sense, a penetration test is an “attack simulation” where a third party will attempt to as closely as possible simulate the activities of a malicious party in conducting an attack against the organization. This would typically be done in a manner intended to minimize any sort of adverse events in the sequence of testing to control risks. The goal of this test is to identify proven security concerns for the company and demonstrate how a party can act on those identified issues. In no way does a penetration test act as a comprehensive identification of all security concerns for the organization, but rather a way of modeling the most likely situations to compromise the company.. The results of the test would then be used to maximize future security efforts in the organization by focusing on the high impact areas identified. This is important due to limited time and budget, companies want to make sure benefits to security expendituresare m aximized.
The point is, this sort of open attack simulation is not often done against an organization. There are many reasons for this, but the end result is various controls on the penetration test are put in place, identified in the “scope” of the engagement. This scope defines what can and can’t be done in the course of the assessment and can be imposed for legitimate or valid business reasons. For instance, if an organization knows they have likely issues on mobile device security, it would make sense to conduct a penetration test targeting only these mobile devices. While this does not reflect a true and accurate overview of potential compromise points for the company as a whole, it does focus on the targeted environment and can be very useful for an organization.
To use an example, you may go to a doctor and undergo a heart
stress test. You may have other physical problems that need to be addressed;
however, that does not mean that the heart stress test is a useless test.
When used in conjunction with other assessments of overall health, it can
provide a very useful and valid idea as to your overall health risk.
Social Engineering Automation
Anyone purchasing a penetration test should insist upon at least
this minimal degree of social engineering component to be included. This
small component of the assessment will deliver far more value then the
exploitation inventory that is normally the focus of the testing.
Raising the Floor
There are steps that service providers can do now to help reach
this goal. First off, place social engineering attack as a standard part of
the penetration test, not an optional add-on. When customers see it there by
default, they are more likely to just leave it there as it removes the
“decision” of including it or not. Identify what attacks you can include in
your standard methodology so that you are not doing one-off efforts through
different engagements. By using a standard attack set, you are able to
provide your customers with true comparisons on how “normal” or not they are
in regards to your other customers. Additionally, it provides you a metric
that you can use for follow up engagements to show potential improvement in
the environment that has been gained through the testing.
Take the time to have your consultants use the tools in a test environment and understand what is occurring for each attack to be successful. SET is a great way to do this as it enables you to watch the actual commands that are provided to the underlying tools. Take the time to research those commands so that you know what it is you are running. Utilize automated tools to help you maintain your profit margins, but do not believe that you can rely on these tools without understanding what is happening.
We would never argue that automation based penetration testing
is adequate to fill the role of a true attack simulation, but we must accept
that these automation-based assessments are here to stay. We must do what we
can to increase the usefulness of the products they deliver.
Written by James O'Gorman