Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1.

Social Engineering Techniques

Will Vandevanter, Senior Security ConsultantDanielle Sermer, Business Development Manager

1

2

Agenda

Rapid7 Company Overview and Learning Objectives 1

Social Engineering Techniques 2

Summary and Q&A 3

Rapid7 Corporate Profile

Company • Headquarters: Boston, MA• Founded 2000, Commercial Launch 2004• 110+ Employees• Funded by Bain Capital (Aug. 08) - $9M• Acquired Metasploit in Oct. 09Solutions• Unified Vulnerability Management Products• Penetration Testing Products• Professional ServicesCustomers• 1,000+ Customers• SMB, Enterprise• Community of 65,000+Partners• MSSPs• Security Consultants• Technology Partners• Resellers

#1 Fastest growing company for Vuln. Mgmt

#1 Fastest growing software company in Mass.

#7 Fastest growing security company in U.S.

#15 Fastest growing software company in U.S.

Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure

Compliance

Social Engineering Techniques

4

5

• Penetration Tester and Security Researcher

• Web Application Assessments, Internal Penetration Testing, and Social Engineering

• Disclosures on SAP, Axis2, and open source products

• Twitter: @willis__• will __AT__ rapid7.com

Will Vandevanter

6

Social Engineering Definition

“The act of manipulating people into performing actions or divulging confidential information..”

Wikipedia (also sourced on social-engineer.org)

7

• The act of manipulating the human element in order to achieve a goal.

• This is not a new idea.

Social Engineering Definition Revisited

8

Visualizing the Enterprise

9

• The primary objective of all assessments is to demonstrate risk

• ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough

• How do I know what is the most important to the business?

Goal Orientated Penetration Testing

10

• To achieve the goals for the assessment

• To test policies and technologies

How We Use Social Engineering

11

1. Information Gathering2. Elicitation and Pretexting3. The Payload4. Post Exploitation5. Covering your tracks

Commonalities

Electronic Social Engineering

12

13

• White Box vs. Black Box vs. Grey Box• Know Your Target• Gather Your User List

– Email Address Scheming– Document meta-data– Google Dorks– Hoovers, Lead411, LinkedIn, Spoke, Facebook

• Verify Your User List• Test Your Payload

Information Gathering

14

• Goal : To obtain user credentials without tipping off the user

• Identify a user login page– Outlook Web Access– Corporate or Human

Resources Login Page• Information Gathering is

vital

Template 1 – The Fear Factor

15

Pretexting

16

The Payload

17

Post Exploitation

18

How Effective Is it

• Incredibly Successful• Case Study

– Mid December 2010– 80 e-mails sent to various offices and levels of users– 41 users submitted their credentials

• Success varies on certain factors– Centralized vs. Decentralized Locations– Help Desk and internal communication process– Number of e-mails sent– Time of the day and day of the week matter

19

• Do your users know who contact if they receive an e-mail like this?

• How well is User Awareness Training working?

• How well is compromise detection working?

• Are your mail filters protecting your users?

Controls and Policy

20

• Goal: To have a user run an executable providing internal access to the network.

• Information Gathering:– Egress filtering rules– Mail filters– AV

Template 2 – Security Patch

21

Pretexting

22

• Meterpreter Executable

• Internal Pivot

The Payload

23

Post Exploitation

24

• Highly Dependent on a high number of factors• Atleast 5-10% of users will run it• Case Study

– July 2010– ~70 users targeted– 12 Connect backs made

• Success Varies on Many Factors– Egress Filtering– Mail Server Filters– Server and endpoint AV

How Effective Is It?

25

• Do your users know who contact if they receive an e-mail like this?

• How well is User Awareness Training working?

• How well is compromise detection working?

• Are your mail filters protecting your users?• Technical Controls

Controls and Policy

26

• Information Gathering– Maltego– Shodan– Hoovers, Lead411, LinkedIn

• Social Engineering Toolkit (SET)• Social Engineering Framework (SEF) • Metasploit

Tools of The Trade

Physical Social Engineering

27

28

Information Gathering

“If you know the enemy and know yourself you need not fear the results of a hundred battles.”

-Sun Tzu

29

• White Box vs. Black Box vs. Grey Box• Know Your Target• Pretexting is highly important

Information Gathering

30

• Props or other utilities to create the ‘reality’

• Keep the payload and the goal in mind

• Information Gathering is key

Pretexting

31

• Goal: To have a user either insert a USB drive or run a file on the USB drive

• Start with no legitimate access to the building

• Getting it in there is the hard part

Template 1 – Removable Media

32

• The Parking Lot• Inside of an Envelope• Empathy• Bike Messenger, Painter, etc.

Pretexting USB Drives

33

• AutoRun an executable• Malicious PDF • Malicious Word Documents

Payload

34

Post Exploitation

35

• What are the restrictions on portable media?

• Was I able to bypass a control to gain access to the building?

• Technical Controls

Controls and Policies

36

• Goal: “Paul” needed to obtain access to the server room at a credit union

• The room itself is locked and accessible via key card only.

• Information Gathering• Pretexting

Case Study - The Credit Union Heist

37

• RFID card reader and spoofer

• Pocket Router • SpoofApp• Lock Picking Tools• Uniforms

Gadgets

38

• Protecting against Social Engineering is extremely difficult

• User Awareness training has it’s place

• Regularly test your users• Metrics are absolutely

critical to success• During an assessment

much of it can be about luck

Closing Thoughts

39

• www.social-engineer.org• “The Strategems of Social Engineering” – Jayson Street,

DefCon 18• “Open Source Information Gathering” – Chris Gates,

Brucon 2009• Security Metrics: Replacing Fear, Uncertainty, and Doubt –

Andrew Jaquith

Resources

40

Questions or Comments