penetration testing and social engineering

What will we do today?

•  Penetra1on Tes1ng discussion – Types of services

•  Social Engineering – Real-‐life examples

•  Non-‐tech view – Dark side?

•  Interac1ve

Penetra1on Tes1ng

•  What? – Rude word…… – What do you think?

Breakdown

•  Build Review •  Infrastructure •  Applica1on •  Code Review •  Reverse Engineering •  MVS (PCI, Int, Ext etc)

•  WLAN •  Database •  AD

Ops J

•  Client discussions •  Proposal •  Acceptance / PO •  Rest of paperwork (SOW et al)

•  Resources / Schedule •  Delivery

•  Report •  Invoice

Oops L

•  What can go wrong? – DoS – Wrong scope – Mis-‐match resources – Dissa1sfied clients – Non-‐payment

Social Engineering

(SE)

•  Art of decep1on? – Manipula1on – Disclosure

•  What do you see as SE? – Examples

SE: Anatomy

•  Agree scope – What is in? – What is out? MAKE THIS VERY CLEAR

•  Reconnaissance – Onsite – Web – News

SE: Anatomy Cont’d

•  Plan based on reconnaissance – Approximate idea of execu1on – Poten1al back-‐up plans of delivery failure – Changing course based on scenario

SE: Characteris1cs

& Tools CHARACTERISTICS

•  Guts •  Keep calm •  Think on your feet •  Change tac1cs whilst keeping your wits about you

TOOLS

•  Internet •  Google Earth •  Charm •  Manners •  Gadgets (phone, camera)

SE: Outcome / Results

•  Report •  Evidence (MOST IMPORTANT)

SE: Example

•  Crea1ng a fake email account with a real person’s name.

•  Ellen belongs to a company loosely affiliated with the target.

SE: Example Cont’d

•  Sending an email from “Ellen” to many hundreds of employees of the target company.

•  The email contents is based on a real event that the target company held (gleaned from their news website).

•  The email encourages people to visit a website, which appears to be legi1mate.


•  The website is a duplicate of the target

company website, with a few minor modifica1ons to go along with the farcical story from the email.

•  The page a]empts to run a Java applet (next slide).


•  Should the user click yes to running the

applet from the site, some hos1le Java will execute which will compromise the machine, and give the a]acker full control (as in next slide)


•  Pwnd ;) •  Logs of people visi1ng the site


•  Oddly enough, a real employee (Fred) replied to the a]acker with real comments about the site.

•  This was useful as it gave us his name / email signature etc. which could be used to create another fake email account abusing his informa1on.


Crea1ng a fake account for target company employee Fred


•  The en1re email is forged from Fred, but it appears as though he is forwarding on an email – which is made to look like it came from a real employee.

•  Here we abuse the chain of trust. •  The email encourages users to go to a

Microsob website to download an urgent update


•  The a]acker has downloaded a real MS update, but sneakily inserted some hos1le code (The “hot” file).

•  This is hosted on a fake MS website (next slide)


Looks legit? Almost too good to be true.


•  Here we see a user downloading and

running the file-‐ the result of which his AV being killed, a screenshot of his desktop being taken, and full control of his machine given to the a]acker.

•  Game over.

Ques1ons

Contact Details

Name: Yve]e du Toit Email: yve][email protected]

penetration testing and social engineering

Technology

real employee

email

website

acker

contd

based

running

appears