penetration testing and social engineering
DESCRIPTION
Presentation by Yvette du Toit to the University Of Pretoria's honors class of 2011. This presentation is about penetration testing and social engineering. A walkthrough of a social engineering attack is given in this presentationTRANSCRIPT
![Page 1: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/1.jpg)
What will we do today?
• Penetra1on Tes1ng discussion – Types of services
• Social Engineering – Real-‐life examples
• Non-‐tech view – Dark side?
• Interac1ve
![Page 2: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/2.jpg)
Penetra1on Tes1ng
• What? – Rude word…… – What do you think?
![Page 3: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/3.jpg)
Breakdown
• Build Review • Infrastructure • Applica1on • Code Review • Reverse Engineering • MVS (PCI, Int, Ext etc)
• WLAN • Database • AD
![Page 4: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/4.jpg)
Ops J
• Client discussions • Proposal • Acceptance / PO • Rest of paperwork (SOW et al)
• Resources / Schedule • Delivery
• Report • Invoice
![Page 5: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/5.jpg)
Oops L
• What can go wrong? – DoS – Wrong scope – Mis-‐match resources – Dissa1sfied clients – Non-‐payment
![Page 6: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/6.jpg)
Social Engineering
(SE)
• Art of decep1on? – Manipula1on – Disclosure
• What do you see as SE? – Examples
![Page 7: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/7.jpg)
SE: Anatomy
• Agree scope – What is in? – What is out? MAKE THIS VERY CLEAR
• Reconnaissance – Onsite – Web – News
![Page 8: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/8.jpg)
SE: Anatomy Cont’d
• Plan based on reconnaissance – Approximate idea of execu1on – Poten1al back-‐up plans of delivery failure – Changing course based on scenario
![Page 9: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/9.jpg)
SE: Characteris1cs
& Tools CHARACTERISTICS
• Guts • Keep calm • Think on your feet • Change tac1cs whilst keeping your wits about you
TOOLS
• Internet • Google Earth • Charm • Manners • Gadgets (phone, camera)
![Page 10: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/10.jpg)
SE: Outcome / Results
• Report • Evidence (MOST IMPORTANT)
![Page 11: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/11.jpg)
SE: Example
• Crea1ng a fake email account with a real person’s name.
• Ellen belongs to a company loosely affiliated with the target.
![Page 12: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/12.jpg)
SE: Example Cont’d
• Sending an email from “Ellen” to many hundreds of employees of the target company.
• The email contents is based on a real event that the target company held (gleaned from their news website).
• The email encourages people to visit a website, which appears to be legi1mate.
![Page 13: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/13.jpg)
SE: Example Cont’d
• The website is a duplicate of the target
company website, with a few minor modifica1ons to go along with the farcical story from the email.
• The page a]empts to run a Java applet (next slide).
![Page 14: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/14.jpg)
SE: Example Cont’d
• Should the user click yes to running the
applet from the site, some hos1le Java will execute which will compromise the machine, and give the a]acker full control (as in next slide)
![Page 15: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/15.jpg)
SE: Example Cont’d
• Pwnd ;) • Logs of people visi1ng the site
![Page 16: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/16.jpg)
SE: Example Cont’d
• Oddly enough, a real employee (Fred) replied to the a]acker with real comments about the site.
• This was useful as it gave us his name / email signature etc. which could be used to create another fake email account abusing his informa1on.
![Page 17: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/17.jpg)
SE: Example Cont’d
Crea1ng a fake account for target company employee Fred
![Page 18: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/18.jpg)
SE: Example Cont’d
• The en1re email is forged from Fred, but it appears as though he is forwarding on an email – which is made to look like it came from a real employee.
• Here we abuse the chain of trust. • The email encourages users to go to a
Microsob website to download an urgent update
![Page 19: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/19.jpg)
SE: Example Cont’d
• The a]acker has downloaded a real MS update, but sneakily inserted some hos1le code (The “hot” file).
• This is hosted on a fake MS website (next slide)
![Page 20: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/20.jpg)
SE: Example Cont’d
Looks legit? Almost too good to be true.
![Page 21: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/21.jpg)
SE: Example Cont’d
• Here we see a user downloading and
running the file-‐ the result of which his AV being killed, a screenshot of his desktop being taken, and full control of his machine given to the a]acker.
• Game over.
![Page 22: Penetration testing and social engineering](https://reader034.vdocuments.mx/reader034/viewer/2022051411/54560095b1af9fc0638b4c4f/html5/thumbnails/22.jpg)
Ques1ons