Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering Techniques

Published bySharleen Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "Social Engineering Techniques"— Presentation transcript:

1 Social Engineering Techniques
Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager

2 Agenda Rapid7 Company Overview and Learning Objectives 1
Social Engineering Techniques 2 Summary and Q&A 3

3 Rapid7 Corporate Profile
Company Headquarters: Boston, MA Founded 2000, Commercial Launch 2004 110+ Employees Funded by Bain Capital (Aug. 08) - $9M Acquired Metasploit in Oct. 09 Solutions Unified Vulnerability Management Products Penetration Testing Products Professional Services Customers 1,000+ Customers SMB, Enterprise Community of 65,000+ Partners MSSPs Security Consultants Technology Partners Resellers Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure Compliance #1 Fastest growing company for Vuln. Mgmt #1 Fastest growing software company in Mass. #7 Fastest growing security company in U.S. #15 Fastest growing software company in U.S.

4 Social Engineering Techniques

5 Will Vandevanter Penetration Tester and Security Researcher
Web Application Assessments, Internal Penetration Testing, and Social Engineering Disclosures on SAP, Axis2, and open source products will __AT__ rapid7.com

6 Social Engineering Definition
“The act of manipulating people into performing actions or divulging confidential information..” Wikipedia (also sourced on social-engineer.org)

7 Social Engineering Definition Revisited
The act of manipulating the human element in order to achieve a goal. This is not a new idea.

8 Visualizing the Enterprise

9 Goal Orientated Penetration Testing
The primary objective of all assessments is to demonstrate risk ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough How do I know what is the most important to the business?

10 How We Use Social Engineering
To achieve the goals for the assessment To test policies and technologies

11 Commonalities 1. Information Gathering 2. Elicitation and Pretexting 3. The Payload 4. Post Exploitation 5. Covering your tracks

12 Electronic Social Engineering

13 Information Gathering
White Box vs. Black Box vs. Grey Box Know Your Target Gather Your User List Address Scheming Document meta-data Google Dorks Hoovers, Lead411, LinkedIn, Spoke, Facebook Verify Your User List Test Your Payload The amount of information to be gathered depends on the engagement. White Box – The contact provides all of the information Black Box – I obtain the information myself. In other words the contact point just says go at it with no knowledge of when the attack will occur, to whom, or how. Grey Box - On a longer timeline I usually encourage a hybrid approach so I’ll say gather a list of users and the scenarios I may use. I’ll then vet these with my contact point.

14 Template 1 – The Fear Factor
Goal : To obtain user credentials without tipping off the user Identify a user login page Outlook Web Access Corporate or Human Resources Login Page Information Gathering is vital The

15 Pretexting I’d like to point out a couple of things about this that contribute to the creating this reality: The use of brackets with capital letters infers auto-generation address in use Targeted with the user’s first name The first sentence is meant to create a sense of panic. At this point I don’t care if the user even reads the rest of the , I just want them to click the link.

16 The Payload

17 Post Exploitation

18 How Effective Is it Incredibly Successful Case Study
Mid December 2010 80 s sent to various offices and levels of users 41 users submitted their credentials Success varies on certain factors Centralized vs. Decentralized Locations Help Desk and internal communication process Number of s sent Time of the day and day of the week matter

19 Controls and Policy Do your users know who contact if they receive an like this? How well is User Awareness Training working? How well is compromise detection working? Are your mail filters protecting your users?

20 Template 2 – Security Patch
Goal: To have a user run an executable providing internal access to the network. Information Gathering: Egress filtering rules Mail filters AV

21 Pretexting I’d like to point out a couple of things about this that contribute to the creating this reality: The use of brackets with capital letters again infers auto-generation address in use Targeted with the user’s first name This is meant more to appeal to the compliance factor in an employee

22 Meterpreter Executable Internal Pivot
The Payload Meterpreter Executable Internal Pivot The executable file is a meterpreter executable. When it’s run it connects out of the internal network to one of my systems.

23 Post Exploitation If the user runs the executable then it makes an outbound connection from the internal network to a server that I own. From here I essentially have a foot hold into the network. If you remember back to the ring diagram, I am now in the internal ring pushing towards the critical assets contained in the middle.

24 How Effective Is It? Highly Dependent on a high number of factors
Atleast 5-10% of users will run it Case Study July 2010 ~70 users targeted 12 Connect backs made Success Varies on Many Factors Egress Filtering Mail Server Filters Server and endpoint AV

25 Do your users know who contact if they receive an e-mail like this?
Controls and Policy Do your users know who contact if they receive an like this? How well is User Awareness Training working? How well is compromise detection working? Are your mail filters protecting your users? Technical Controls What attachments are blocked? Egress filtering?

26 Information Gathering
Tools of The Trade Information Gathering Maltego Shodan Hoovers, Lead411, LinkedIn Social Engineering Toolkit (SET) Social Engineering Framework (SEF) Metasploit SET - SEF -

27 Physical Social Engineering

28 Information Gathering
“If you know the enemy and know yourself you need not fear the results of a hundred battles.” -Sun Tzu

29 Information Gathering
White Box vs. Black Box vs. Grey Box Know Your Target Pretexting is highly important

30 Pretexting Props or other utilities to create the ‘reality’ Keep the payload and the goal in mind Information Gathering is key

31 Template 1 – Removable Media
Goal: To have a user either insert a USB drive or run a file on the USB drive Start with no legitimate access to the building Getting it in there is the hard part

32 Bike Messenger, Painter, etc.
Pretexting USB Drives The Parking Lot Inside of an Envelope Empathy Bike Messenger, Painter, etc.

33 Malicious Word Documents
Payload AutoRun an executable Malicious PDF Malicious Word Documents

34 Post Exploitation

35 What are the restrictions on portable media?
Controls and Policies What are the restrictions on portable media? Was I able to bypass a control to gain access to the building? Technical Controls

36 Case Study - The Credit Union Heist
Goal: “Paul” needed to obtain access to the server room at a credit union The room itself is locked and accessible via key card only. Information Gathering Pretexting

37 RFID card reader and spoofer Pocket Router SpoofApp Lock Picking Tools
Gadgets RFID card reader and spoofer Pocket Router SpoofApp Lock Picking Tools Uniforms The first is a proximity card or RFID card reader and spoofer. The one on the right is the proxmark III. It goes for ~$400. Basically you place the RFID card on the reader or get close enough to pull it. The data is stored on your system and then you can replay it later using the same device. Pocket sized wifi for those times when you find an open hot connection but can’t stay.

38 Closing Thoughts Protecting against Social Engineering is extremely difficult User Awareness training has it’s place Regularly test your users Metrics are absolutely critical to success During an assessment much of it can be about luck

39 Resources www.social-engineer.org
“The Strategems of Social Engineering” – Jayson Street, DefCon 18 “Open Source Information Gathering” – Chris Gates, Brucon 2009 Security Metrics: Replacing Fear, Uncertainty, and Doubt – Andrew Jaquith

40 Questions or Comments

Download ppt "Social Engineering Techniques"

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.

Kelly Corning Julie Sharp.  Human-based techniques: impersonation  Computer-based techniques: malware and scams.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Web 2.0: Concepts and Applications 5 Connecting People.

Web 2.0: Concepts and Applications 5 Connecting People.
Web 2.0: Concepts and Applications 5 Connecting People.

Web 2.0: Concepts and Applications 5 Connecting People.
PRODUCT FOCUS 4/14/14 – 4/25/14 INTRODUCTION Our Product Focus for the next two weeks is Microsoft Office 365. Office 365 is Microsoft’s most successful.

PRODUCT FOCUS 4/14/14 – 4/25/14 INTRODUCTION Our Product Focus for the next two weeks is Microsoft Office 365. Office 365 is Microsoft’s most successful.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.

Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Controls for Information Security

Controls for Information Security
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Www.sophos.com Sophos anti-virus and anti-spam for business OARNET October 13, 2004.

Sophos anti-virus and anti-spam for business OARNET October 13, 2004.
Top Objectives: 1.Increase web traffic and exposure 2.Become definitive authority on Coffee 3.Increase sales to coffee centric Food Service Operators 4.Engage.

Top Objectives: 1.Increase web traffic and exposure 2.Become definitive authority on Coffee 3.Increase sales to coffee centric Food Service Operators 4.Engage.
The Business of Penetration Testing

The Business of Penetration Testing

Similar presentations

Ads by Google