ECSA/ LPT EC Council Mod le XXVI EC - Council Mod u le XXVI Social Engineering Ptti Tti P ene t ra ti on T es ti ng Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen Laptop, PDAs and Cell Phones Social Engineering Application Cont’d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testin g Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Si Database Pii VoIP PiTi S ecur i t y Penetration Testing P enetrat i on test i ng P enetrat i on T est i n g Vi d Vi rus an d Trojan Detection War Dialing VPN Penetration Testing Log Management Penetration Testing File Integrity Checking Blue Tooth and Hand held Device Penetration Testing Telecommunication And Broadband Communication Email Security Penetration Testin g Security Patches Data Leakage Penetration Testing End Here EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Penetration Testing g Penetration Testing Penetration Testing What is Social Engineering? The term social engineering is used to describe the various tricks used to fool people (employees, business partners, or customers) into voluntarily giving away information that would not normally be known to the general public. Examples: • Names and contact information for key personnel • System user IDs and passwords • Proprietary operating procedures Ct fil • C us t omer pro fil es EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Requirements of Social Engineering Engineering Be patient when you make several phone calls to a person to gather sensitive information. A ppear to be confident so that people will believe you. Develop trust of the target person by using mirror techniques. Have knowledge while gathering the details of an person to whom you are contacting at a company. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps in Conducting Social Engineering Penetration Test Engineering Penetration Test 1 • Attempt social engineering techniques using phone 2 • Attempt social engineering by vishing 3 • Attempt social engineering by telephone 4 • A ttempt social engineering using email 5 • Attempt social engineering by using traditional mail il i i i 6 • A ttempt soc i a l eng i neer i ng i n person 7 • Attempt social engineering by dumpster diving Iid li 8 • I ns id er accomp li ce 9 • Attempt social engineering by shoulder surfing • Attempt social engineering by desktop information EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 10 • Attempt social engineering by desktop information Steps in Conducting Social Engineering Penetration Test (cont ’ d) Engineering Penetration Test (cont d) 11 • Attempt social engineering by extortion and blackmail 12 • Attempt social engineering using websites 13 • Attempt identity theft and phishing attacks 14 • Try to obtain satellite imagery and building blue prints 15 • Try to obtain the details of an employee from social networks sites 16 • Use a telephone monitoring device to capture conversation 17 • Use video recording tools to capture images 18 • Use vehicle/asset tracking system to monitor motor vehicles 19 • Identify “disgruntled employees” and engage in conversation to extract sensitive information EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 20 • Document everything Before you Start Print business cards of a bo g us com p an y gpy Make sure you have email ID printed on your business card, e.g j downes @ insuranceusa.com j@ Buy clothes that are need for the social engineering attacks, e.g fireman uniform Print bogus ID cards Setup a bogus website for the company you represent Register a new number for your mobile phone that will be used in the EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Register a new number for your mobile phone that will be used in the social engineering attack Dress Like a Businessman Dress like a businessman; wear a tie and a e pensi e s it e x pensi v e s u it Carry a briefcase Your attire should command great respect You are judged by how good you look Wear glasses to look more intelligent EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1: Attempt Social Engineering Techniques Using Phone Techniques Using Phone Call the company’s help desk and ask for sensitive information Call the receptionist, engage in conversation and extract various contact details of the company Make it look realistic – rehearse many times before you make the call Have backup answers for every question you throw at the target person Record the conversation – reporting purposes “Hi, this is Jason, the VP of sales. I'm at the New York branch today and I can't remember my password. The machine in my home office has that 'Remember password' set, so it's been months since I actually had to enter it. Can you tell me what it is, or reset it or something? I really need to access this month's sales reports ASAP." "Hi, this is Joanna at the Boston branch. I'm the new LAN administrator and my boss wants this done before he gets back from London. Do you know how I can: Do you know how I can: Configure our firewall to have the same policies as corporate? Download the latest DNS entries from the corporate DNS server to our local server? Run a transaction on a remote file and print server using a Shell command? Back up the database to our off-site disaster recovery location? EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Locate the IP address of the main DNS server? Set up a backup dial-up connection to the corporate LAN? Connect this new network segment to the corporate intranet?" [...]... Strictly Prohibited Step 3: Attempt Social Engineering by Telephone Three common techniques to perform social engineering using telephone are: • Pose like a disgruntled customer • A t as a l Act logging h l i helper • Appear as a technical support member EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Attempt Social Engineering Using Email Create a... prize letter offering holiday trip in exchange for survey EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 6: Attempt Social Engineering in Person Visit the physical facility and attempt social engineering techniques p y y p g g q Rehearse what you are going to say Dress appropriately – for example if you are going to spoof as fireman then you better wear... password, and so on can be gathered easily EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 11: Attempt Social Engineering by Extortion and Blackmail You can attempt blackmail and extortion if your penetration testing contracts allow it it This type of pen-test might invoke local police authorities if not handled correctly The management and the IT team should... Attempt Social Engineering by Desktop Information Check for the desktop system that is not locked by the user and hack the system with all permissions and access rights of the user and gather the i h ll i i d i h f h d h h sensitive information Use computer’s cache file and gather all recent passwords, websites visited, and cookies which are used to exploit the user’s network access Perform desktop social. ..Step 2: Attempt Social Engineering by Vishing Use the vishing technique and pose as an employee of legitimate enterprise i Trick the users and gather their personal sensitive information Look for the following: • • • • • • EC-Council Payment card information ( ) PIN (Personal Identification Number) Social insurance number Date of birth Bank account numbers... server upgrade Make the email look legitimate and real (company fonts, colors, logo, etc.) EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Attempt Social Engineering Using Email (cont’d) (cont d) Send sweepstake (like lottery, gifts) information to users and ask them to t provide th i name, email ID password, and address th id their il ID, d d dd through... uniforms and speak like them Ask questions that reveal: k i h l • • • • • Sensitive information Contact information Company policies IT infrastructure Invite the party for a drink or coffee and continue social engineering techniques at a coffee table table • Establish trust EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Example "Hi, I' J h B "Hi I'm John Brown... intruder's masquerade to allow him or her to gain access to the targeted secured resource EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 7: Attempt Social Engineering by Dumpster Diving The term dumpster diving is used to describe searching disposal areas for information that has not been properly destroyed Many organizations utilize h t l conference... retrieving any useful-looking post-its from the computer room's wastepaper bi f h ' bin EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Accomplice Using social engineering techniques befriend someone inside the company and try turning them into an accomplice This could be achieved by: • • • • • EC-Council Bribing Becoming involved in a personal relationship... his needs Exchange for movie tickets, football games, etc g gifts such as handphones p Handing out g Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 9: Attempt Social Engineering by Shoulder Surfing Shoulder surfing is a process of overlooking someone's shoulder in order to gather password or a PIN code and other critical information information Perform the following: . and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration. Conducting Social Engineering Penetration Test Engineering Penetration Test 1 • Attempt social engineering techniques using phone 2 • Attempt social engineering by vishing 3 • Attempt social engineering. Reproduction is Strictly Prohibited Communication Penetration Testing g Penetration Testing Penetration Testing What is Social Engineering? The term social engineering is used to describe the various