Ok,
I'll bite..
We use Social Engieering every chance we get during our pen-tests. Whomever
thinks that Social-Engineering isn't a valid attack or you can't use it to gain
access into a network remotely.. you need to re-evaluate understanding of these
types of attacks. It may not have the technical "cool factor" that a BO or
other root remote compromises have. But it works.
SE is very affective due to attacks on the "human layer" on the enterprise. How
many companies have a measurable security awareness program?? This is your main
defense in these types of attacks..
Answer: NOT MANY.
I believe that SE needs to be used whenever possible. Think about it.
Do you think a hacker will have a "scope" or stay in bounds? no.. Then why
shouldn't we include this in a penetration test?
If a company wants a "real" ethical hack attempt instead of something so
controlled and defined it doesn't portray a real attack.
In regards to reporting.. if the attacker is good the tergeted user will never
know what happened so it isn't reported. It leaves less tracks than hacking a
web server.
A couple of examples:
Directed Phishing
Phone based SE
Physical SE
Summary: If you have a large enterprise target:
They *should* have good perimeter protection at this point. YOu may find the
occasional outdated web server or a service like Veritas that should never be
reached from the Internet anyway. But most times you don't get much here.
Applications: We do a lot here and usually get more information on the systems
and sometimes still get SQL injections. XSS is found on almost every app. I'd
say 30% of these apps give the tester internal access.
So now.. we have tested the infrastructure and applications and may understand
the systems better.. but may not have gotten access. ( 5 day timeframe for
example).
Now we use all the passive and active recon info to mount the SE attack. This
can usually be accomplished with a directed phishing attack ( depending on what
type of info we have gathered during the recon stage).
Within a few hours you have crafted a phishing attack and started getting
domain credentials and start logging in remotely. OWA gives you tons of info
including document scavenging for more info. You can also send emails to get
more info.
Citrix can usually be used to gain more info. ( find out how to break out of
the application and access the citrix server.. this is very easy if it's a web
based app using IE or something)
If the company doesnt have emails posted then get on the phone. It's simple to
bounce around an internal phone system. Just think about how you could use
power persuasion to get passwords from users..
Of course.. you could always have the RFID badges and walk in the building
physically. Plugin a WAP and walkout. ( or autorun 0day exploits that go
outbound on 80 connecting back to the testers network)
Have Fun
/End RANT
J. Perrymon
PacketFocus.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
