Social Engineering Techniques

sillysepiaΗλεκτρονική - Συσκευές

27 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

74 εμφανίσεις

Social Engineering Techniques

Will Vandevanter, Senior Security Consultant


Danielle Sermer, Business Development Manager

1

Agenda

2

Rapid7 Company Overview and Learning Objectives


1

Social Engineering Techniques


2


Summary and Q&A


3

Rapid7 Corporate
Profile

Company



Headquarters:
Boston, MA


Founded 2000, Commercial Launch 2004


110+ Employees


Funded by Bain Capital (Aug. 08)
-

$9M


Acquired
Metasploit

in Oct. 09

Solutions


Unified Vulnerability Management Products


Penetration Testing Products


Professional Services

Customers


1,000
+
Customers


SMB, Enterprise


Community of 65,000+

Partners


MSSPs


Security Consultants


Technology

Partners


Resellers

#1 Fastest growing company for
Vuln
. Mgmt



#1 Fastest growing software company in Mass.


#7 Fastest growing security company in U.S.


#15 Fastest growing software company in U.S.

Social Engineering Techniques

4


Penetration Tester and
Security Researcher


Web Application
Assessments, Internal
Penetration Testing, and
Social Engineering


Disclosures on SAP, Axis2,
and open source products


Twitter: @
willis
__


will __AT__ rapid7.com


Will Vandevanter


5

Social Engineering Definition

“The act of manipulating people
楮W漠灥牦潲浩o朠慣瑩潮a 潲⁤o癵汧楮朠
confidential information.
.”

Wikipedia (also sourced on social
-
engineer.org)

6


The act of manipulating
the
human element

in
order to achieve a
goal
.



This is not a new idea.

Social Engineering Definition Revisited


7

Visualizing the Enterprise

8


The primary objective of all
assessments is to demonstrate risk


‘Hack Me’ or ‘We just want to know if
we are secure’ is not specific enough


How do I know what is the most
important to the business?


Goal Orientated Penetration Testing

9




To achieve the goals for the
assessment


To test policies and technologies

How We Use

Social

Engineering

10

1. Information Gathering

2. Elicitation and
Pretexting

3. The Payload

4. Post Exploitation

5. Covering your tracks

Commonalities

11

Electronic Social Engineering

12


White Box vs. Black Box vs. Grey Box


Know Your Target


Gather Your User List


Email Address Scheming


Document meta
-
data


Google Dorks


Hoovers, Lead411, LinkedIn, Spoke,
Facebook


Verify Your User List


Test Your Payload

Information

Gathering

13


Goal : To obtain user
credentials without
tipping off the user



Identify a user login page


Outlook Web Access


Corporate or Human
Resources Login Page


Information Gathering is
vital

Template

1


The Fear Factor

14

Pretexting

15


The Payload

16

Post

Exploitation

17

How Effective Is it

18


Incredibly Successful


Case Study


Mid December 2010


80 e
-
mails sent to various offices and levels of users


41 users submitted their credentials


Success varies on certain factors


Centralized vs. Decentralized Locations


Help Desk and internal communication process


Number of e
-
mails sent


Time of the day and day of the week matter





Do your users know who contact if they
receive an e
-
mail like this?


How well is User Awareness Training
working?


How well is compromise detection
working?


Are your mail filters protecting your users?


Controls

and Policy

19


Goal: To have a user run
an executable providing
internal access to the
network.



Information Gathering:


Egress filtering rules


Mail filters


AV

Template

2


Security Patch

20


Pretexting

21


Meterpreter

Executable


Internal Pivot

The Payload

22


Post

Exploitation

23


Highly Dependent on a high number of factors


Atleast

5
-
10% of users will run it


Case Study


July 2010


~70 users targeted


12 Connect backs made


Success Varies on Many Factors


Egress Filtering


Mail Server Filters


Server and endpoint AV


How Effective Is
It?

24


Do your users know who contact if they
receive an e
-
mail like this?


How well is User Awareness Training
working?


How well is compromise detection
working?


Are your mail filters protecting your users?


Technical Controls

Controls

and Policy

25


Information Gathering


Maltego


Shodan


Hoovers, Lead411, LinkedIn


Social Engineering Toolkit (SET)


Social Engineering Framework (SEF)


Metasploit

Tools of The Trade

26

Physical Social Engineering

27

Information Gathering

“If you know the enemy and know
y潵o獥汦⁹潵敥搠湯琠f敡爠e桥h
results of a hundred battles.”

-
Sun Tzu

28


White Box vs. Black Box vs. Grey Box


Know Your Target


Pretexting

is highly important

Information

Gathering

29


Props or other
utilities to create
the ‘reality’


Keep the
payload and the
goal in mind


Information
Gathering is key

Pretexting


30


Goal: To have a user either
insert a USB drive or run a file
on the USB drive


Start with no legitimate access
to the building


Getting it in there is the hard
part

Template

1


Removable

Media

31


The Parking Lot


Inside of an Envelope


Empathy


Bike Messenger, Painter, etc.


Pretexting

USB Drives

32


AutoRun

an executable


Malicious PDF


Malicious Word Documents


Payload

33


Post

Exploitation

34


What are the restrictions on portable
media?


Was I able to bypass a control to gain
access to the building?


Technical Controls

Controls and
Policies

35


Goal: “Paul” needed to obtain access
to the server room at a credit union


The room itself is locked and
accessible via key card only.


Information Gathering


Pretexting


Case Study
-

The Credit Union Heist

36


RFID card reader
and
spoofer


Pocket Router


SpoofApp


Lock Picking Tools


Uniforms


Gadgets

37


Protecting against Social
Engineering is extremely
difficult


User Awareness training
has it’s place


Regularly test your users


Metrics are absolutely
critical to success


During an assessment
much of it can be about
luck

Closing Thoughts

38


www.social
-
engineer.org


“The
Strategems

of Social Engineering”


Jayson Street,
DefCon

18


“Open Source Information Gathering”


Chris Gates,
Brucon

2009


Security Metrics: Replacing Fear, Uncertainty, and Doubt


Andrew
Jaquith


Resources

39


Questions or Comments

40