From: hacked@packetfocus.com
Date: Wed Aug 23 2006 - 21:31:04 EDT
I'll bite..
We use Social Engieering every chance we get during our pen-tests. Whomever thinks that Social-Engineering isn't a valid attack or you can't use it to gain access into a network remotely.. you need to re-evaluate understanding of these types of attacks. It may not have the technical "cool factor" that a BO or other root remote compromises have. But it works.
SE is very affective due to attacks on the "human layer" on the enterprise. How many companies have a measurable security awareness program?? This is your main defense in these types of attacks..
Answer: NOT MANY.
I believe that SE needs to be used whenever possible. Think about it.
Do you think a hacker will have a "scope" or stay in bounds? no.. Then why shouldn't we include this in a penetration test?
If a company wants a "real" ethical hack attempt instead of something so controlled and defined it doesn't portray a real attack.
In regards to reporting.. if the attacker is good the tergeted user will never know what happened so it isn't reported. It leaves less tracks than hacking a web server.
A couple of examples:
Directed Phishing
Phone based SE
Physical SE
Summary: If you have a large enterprise target:
They *should* have good perimeter protection at this point. YOu may find the occasional outdated web server or a service like Veritas that should never be reached from the Internet anyway. But most times you don't get much here.
Applications: We do a lot here and usually get more information on the systems and sometimes still get SQL injections. XSS is found on almost every app. I'd say 30% of these apps give the tester internal access.
So now.. we have tested the infrastructure and applications and may understand the systems better.. but may not have gotten access. ( 5 day timeframe for example).
Now we use all the passive and active recon info to mount the SE attack. This can usually be accomplished with a directed phishing attack ( depending on what type of info we have gathered during the recon stage).
Within a few hours you have crafted a phishing attack and started getting domain credentials and start logging in remotely. OWA gives you tons of info including document scavenging for more info. You can also send emails to get more info.
Citrix can usually be used to gain more info. ( find out how to break out of the application and access the citrix server.. this is very easy if it's a web based app using IE or something)
If the company doesnt have emails posted then get on the phone. It's simple to bounce around an internal phone system. Just think about how you could use power persuasion to get passwords from users..
Of course.. you could always have the RFID badges and walk in the building physically. Plugin a WAP and walkout. ( or autorun 0day exploits that go outbound on 80 connecting back to the testers network)
Have Fun
/End RANT
J. Perrymon
PacketFocus.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:48 EDT