Download presentation
Presentation is loading. Please wait.
1
Social Engineering Techniques
Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager
2
Agenda Rapid7 Company Overview and Learning Objectives 1
Social Engineering Techniques 2 Summary and Q&A 3
3
Rapid7 Corporate Profile
Company Headquarters: Boston, MA Founded 2000, Commercial Launch 2004 110+ Employees Funded by Bain Capital (Aug. 08) - $9M Acquired Metasploit in Oct. 09 Solutions Unified Vulnerability Management Products Penetration Testing Products Professional Services Customers 1,000+ Customers SMB, Enterprise Community of 65,000+ Partners MSSPs Security Consultants Technology Partners Resellers Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure Compliance #1 Fastest growing company for Vuln. Mgmt #1 Fastest growing software company in Mass. #7 Fastest growing security company in U.S. #15 Fastest growing software company in U.S.
4
Social Engineering Techniques
5
Will Vandevanter Penetration Tester and Security Researcher
Web Application Assessments, Internal Penetration Testing, and Social Engineering Disclosures on SAP, Axis2, and open source products will __AT__ rapid7.com
6
Social Engineering Definition
“The act of manipulating people into performing actions or divulging confidential information..” Wikipedia (also sourced on social-engineer.org)
7
Social Engineering Definition Revisited
The act of manipulating the human element in order to achieve a goal. This is not a new idea.
8
Visualizing the Enterprise
9
Goal Orientated Penetration Testing
The primary objective of all assessments is to demonstrate risk ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough How do I know what is the most important to the business?
10
How We Use Social Engineering
To achieve the goals for the assessment To test policies and technologies
11
Commonalities 1. Information Gathering 2. Elicitation and Pretexting 3. The Payload 4. Post Exploitation 5. Covering your tracks
12
Electronic Social Engineering
13
Information Gathering
White Box vs. Black Box vs. Grey Box Know Your Target Gather Your User List Address Scheming Document meta-data Google Dorks Hoovers, Lead411, LinkedIn, Spoke, Facebook Verify Your User List Test Your Payload The amount of information to be gathered depends on the engagement. White Box – The contact provides all of the information Black Box – I obtain the information myself. In other words the contact point just says go at it with no knowledge of when the attack will occur, to whom, or how. Grey Box - On a longer timeline I usually encourage a hybrid approach so I’ll say gather a list of users and the scenarios I may use. I’ll then vet these with my contact point.
14
Template 1 – The Fear Factor
Goal : To obtain user credentials without tipping off the user Identify a user login page Outlook Web Access Corporate or Human Resources Login Page Information Gathering is vital The
15
Pretexting I’d like to point out a couple of things about this that contribute to the creating this reality: The use of brackets with capital letters infers auto-generation address in use Targeted with the user’s first name The first sentence is meant to create a sense of panic. At this point I don’t care if the user even reads the rest of the , I just want them to click the link.
16
The Payload
17
Post Exploitation
18
How Effective Is it Incredibly Successful Case Study
Mid December 2010 80 s sent to various offices and levels of users 41 users submitted their credentials Success varies on certain factors Centralized vs. Decentralized Locations Help Desk and internal communication process Number of s sent Time of the day and day of the week matter
19
Controls and Policy Do your users know who contact if they receive an like this? How well is User Awareness Training working? How well is compromise detection working? Are your mail filters protecting your users?
20
Template 2 – Security Patch
Goal: To have a user run an executable providing internal access to the network. Information Gathering: Egress filtering rules Mail filters AV
21
Pretexting I’d like to point out a couple of things about this that contribute to the creating this reality: The use of brackets with capital letters again infers auto-generation address in use Targeted with the user’s first name This is meant more to appeal to the compliance factor in an employee
22
Meterpreter Executable Internal Pivot
The Payload Meterpreter Executable Internal Pivot The executable file is a meterpreter executable. When it’s run it connects out of the internal network to one of my systems.
23
Post Exploitation If the user runs the executable then it makes an outbound connection from the internal network to a server that I own. From here I essentially have a foot hold into the network. If you remember back to the ring diagram, I am now in the internal ring pushing towards the critical assets contained in the middle.
24
How Effective Is It? Highly Dependent on a high number of factors
Atleast 5-10% of users will run it Case Study July 2010 ~70 users targeted 12 Connect backs made Success Varies on Many Factors Egress Filtering Mail Server Filters Server and endpoint AV
25
Do your users know who contact if they receive an e-mail like this?
Controls and Policy Do your users know who contact if they receive an like this? How well is User Awareness Training working? How well is compromise detection working? Are your mail filters protecting your users? Technical Controls What attachments are blocked? Egress filtering?
26
Information Gathering
Tools of The Trade Information Gathering Maltego Shodan Hoovers, Lead411, LinkedIn Social Engineering Toolkit (SET) Social Engineering Framework (SEF) Metasploit SET - SEF -
27
Physical Social Engineering
28
Information Gathering
“If you know the enemy and know yourself you need not fear the results of a hundred battles.” -Sun Tzu
29
Information Gathering
White Box vs. Black Box vs. Grey Box Know Your Target Pretexting is highly important
30
Pretexting Props or other utilities to create the ‘reality’ Keep the payload and the goal in mind Information Gathering is key
31
Template 1 – Removable Media
Goal: To have a user either insert a USB drive or run a file on the USB drive Start with no legitimate access to the building Getting it in there is the hard part
32
Bike Messenger, Painter, etc.
Pretexting USB Drives The Parking Lot Inside of an Envelope Empathy Bike Messenger, Painter, etc.
33
Malicious Word Documents
Payload AutoRun an executable Malicious PDF Malicious Word Documents
34
Post Exploitation
35
What are the restrictions on portable media?
Controls and Policies What are the restrictions on portable media? Was I able to bypass a control to gain access to the building? Technical Controls
36
Case Study - The Credit Union Heist
Goal: “Paul” needed to obtain access to the server room at a credit union The room itself is locked and accessible via key card only. Information Gathering Pretexting
37
RFID card reader and spoofer Pocket Router SpoofApp Lock Picking Tools
Gadgets RFID card reader and spoofer Pocket Router SpoofApp Lock Picking Tools Uniforms The first is a proximity card or RFID card reader and spoofer. The one on the right is the proxmark III. It goes for ~$400. Basically you place the RFID card on the reader or get close enough to pull it. The data is stored on your system and then you can replay it later using the same device. Pocket sized wifi for those times when you find an open hot connection but can’t stay.
38
Closing Thoughts Protecting against Social Engineering is extremely difficult User Awareness training has it’s place Regularly test your users Metrics are absolutely critical to success During an assessment much of it can be about luck
39
Resources www.social-engineer.org
“The Strategems of Social Engineering” – Jayson Street, DefCon 18 “Open Source Information Gathering” – Chris Gates, Brucon 2009 Security Metrics: Replacing Fear, Uncertainty, and Doubt – Andrew Jaquith
40
Questions or Comments
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.