ECSA/LPT
EC Council Mod le XXVIEC-Council Module XXVI
Social Engineering P t ti T tiPenetration Testing
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
What is Social Engineering?
The term social engineering is used to describe the various tricks usedto fool people (employees, business partners, or customers) intovoluntarily giving away information that would not normally be knownto the general public.
Examples:
• Names and contact information for key personnel• System user IDs and passwords• Proprietary operating procedures
C t fil• Customer profiles
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Requirements of Social Engineering Engineering
Be patient when you make several phone calls to a person to gather sensitive information.
Appear to be confident so that people will believe you.
Develop trust of the target person by using mirror techniques.
Have knowledge while gathering the details of an person to whom you are contacting at a company.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps in Conducting Social Engineering Penetration TestEngineering Penetration Test
1 • Attempt social engineering techniques using phone
2 • Attempt social engineering by vishing
3 • Attempt social engineering by telephone
4 • Attempt social engineering using email
5 • Attempt social engineering by using traditional mail
i l i i i6 • Attempt social engineering in person
7 • Attempt social engineering by dumpster diving
I id li8 • Insider accomplice
9 • Attempt social engineering by shoulder surfing
• Attempt social engineering by desktop information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
10 • Attempt social engineering by desktop information
Steps in Conducting Social Engineering Penetration Test (cont’d)Engineering Penetration Test (cont d)
11 • Attempt social engineering by extortion and blackmail
12 • Attempt social engineering using websites
13 • Attempt identity theft and phishing attacks
14 • Try to obtain satellite imagery and building blue prints
15 • Try to obtain the details of an employee from social networks sites
16 • Use a telephone monitoring device to capture conversation
17 • Use video recording tools to capture images
18 • Use vehicle/asset tracking system to monitor motor vehicles
19 • Identify “disgruntled employees” and engage in conversation to extract sensitive information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
20 • Document everything
Before you Start
Print business cards of a bogus companyg p y
Make sure you have email ID printed on your business card, e.g [email protected] @
Buy clothes that are need for the social engineering attacks, e.g fireman uniform
Print bogus ID cards
Setup a bogus website for the company you represent
Register a new number for your mobile phone that will be used in the
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Register a new number for your mobile phone that will be used in the social engineering attack
Dress Like a Businessman
Dress like a businessman; wear a tie and a e pensi e s itexpensive suit
Carry a briefcase
Your attire should command great respect
You are judged by how good you look
Wear glasses to look more intelligent
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Attempt Social Engineering Techniques Using PhoneTechniques Using Phone
Call the company’s help desk and ask for sensitive information
Call the receptionist, engage in conversation and extract various contact details of the company
Make it look realistic – rehearse many times before you make the call
Have backup answers for every question you throw at the target person
Record the conversation – reporting purposes
“Hi, this is Jason, the VP of sales. I'm at the New York branch today and I can't remember my password. The machine in my home office has that 'Remember password' set, so it's been months since I actually had to enter it. Can you tell me what it is, or reset it or something? I really need to access this month's sales reports ASAP."
"Hi, this is Joanna at the Boston branch. I'm the new LAN administrator and my boss wants this done before he gets back from London. Do you know how I can:Do you know how I can:
Configure our firewall to have the same policies as corporate?
Download the latest DNS entries from the corporate DNS server to our local server?
Run a transaction on a remote file and print server using a Shell command?
Back up the database to our off-site disaster recovery location?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locate the IP address of the main DNS server?
Set up a backup dial-up connection to the corporate LAN?
Connect this new network segment to the corporate intranet?"
Step 2: Attempt Social Engineering by VishingEngineering by Vishing
Use the vishing technique and pose as an employee of legitimate i enterprise
Trick the users and gather their personal sensitive informationTrick the users and gather their personal sensitive information
Look for the following:
• Payment card information• PIN (Personal Identification Number)
Look for the following:
( )• Social insurance number• Date of birth• Bank account numbers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Passport number
Step 3: Attempt Social Engineering by TelephoneEngineering by Telephone
Three common techniques to perform
• Pose like a disgruntled customer.A t l i h l
social engineering using telephone are:
• Act as a logging helper.• Appear as a technical support member.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Attempt Social Engineering Using EmailEngineering Using Email
Create a webpage that spoofs the company’s identity
Send an email to someone in the company to visit http://x.x.x.x/login.asp? And ask http://x.x.x.x/login.asp? And ask them to re-login to activate the server upgrade
Make the email look legitimate and real (company fonts, colors, logo, etc.)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Attempt Social Engineering Using Email (cont’d)Engineering Using Email (cont d)
Send sweepstake (like lottery, gifts) information to users and ask them t id th i il ID d d dd th h li to provide their name, email ID, password, and address through online form
Another way to obtain information online is by sending mails to users and requesting them to provide password by posing yourself as a network administrator
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Attempt Social Engineering Using Email (cont’d) Engineering Using Email (cont d)
"You have been specially selected..."
"You have won..."
" $ h ""A new car! A trip to Hawaii! $2,500 in cash!"
"Yours, absolutely free! Take a look at our..."
"Your special claim number lets you ..."
"All i h dli ”"All you pay is postage, handling, taxes ...”
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoof: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoof: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoof: Screenshot 3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Attempt Social Engineering by Using Traditional Mailby Using Traditional Mail
Send “snail” mail letters to selected employees of the target company
Example:
Make the letter look real so that people fall for the scam
• Congratulations, you've been preapproved for a holiday to London (all expenses paid). To claim your gift, please complete the enclosed circulation survey and return it to us at Green Apple
Example:
the enclosed circulation survey and return it to us at Green Apple Travel Services.
• If you accept this offer by 3/4/2004, we will also send you a complementary American Express leather wallet.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example
Fake prize letter offering holiday Fake prize letter offering holiday trip in exchange for survey
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Attempt Social Engineering in PersonEngineering in Person
Visit the physical facility and attempt social engineering techniquesp y y p g g q
Rehearse what you are going to say
k i h l
Dress appropriately – for example if you are going to spoof as fireman then you better wear those uniforms and speak like them
• Sensitive information.• Contact information.
Ask questions that reveal:
Contact information.• Company policies.• IT infrastructure.• Invite the party for a drink or coffee and continue social engineering
techniques at a coffee table
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
techniques at a coffee table.• Establish trust.
Example
"Hi I' J h B I' ith th t l dit A th S d "Hi, I'm John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash "show me how you would recover from a website crash.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example
"Hi, I'm Sharon, I'm a sales rep out of the New York office. I know this is short notice, but I have a group of perspective clients out in the car that I've been trying for months to get to outsource their security training needs to us outsource their security training needs to us.
They're located just a few miles away and I think that if I can give them a quick tour of our facilities it should be enough to push our facilities, it should be enough to push them over the edge and get them to sign up.
Oh yeah, they are particularly interested in what security precautions we've adopted what security precautions we ve adopted. Seems someone hacked into their website a while back, which is one of the reasons they're considering our company."
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y g p y
Example
"Hi I'm with Aircon Express Services We Hi, I m with Aircon Express Services. We received a call that the computer room was getting too warm and need to check your HVAC system." Using professional-y g p fsounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured resource.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Attempt Social Engineering by Dumpster DivingEngineering by Dumpster Diving
The term dumpster diving is used to describe searching disposal areas The term dumpster diving is used to describe searching disposal areas for information that has not been properly destroyed.
M i ti tili h t l f th d Many organizations utilize hotel conference rooms or other unsecured facilities to conduct brainstorming sessions.
Once the session is complete, no one considers wiping down the whiteboards used to record the output of the meeting.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Dumpster Diving
Collect trash cans and paper binsp p
Trash can be looked up inside the office or outside the buildingthe building
Look for the following:
• Sensitive documents.• Customer contacts.• Email messages.
h d• Purchase orders.• Appointments.• Schedules.• Envelope addresses
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Envelope addresses.• Post-it notes.
Step 8: Insider Accomplice
A developer building a Trojan horse or time bomb into a web application (especially if the developer is a short-term consultant)
A DBA adding some attacker-friendly stored procedures to the A DBA adding some attacker-friendly stored procedures to the production database
A webmaster installing a backdoor or rootkit on the web server
A network engineer making an illicit copy on a production server's entire hard drive
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Insider Accomplice (cont’d)(cont d)
A system administrator forgetting to install an operating system security hpatch
A value-added retailer (VAR) installing a firewall and leaving the f ' d f l i imanufacturer's default maintenance account active
An engineer from the local utility company attaching a network sniffer LANto a LAN
A member of the cleaning crew retrieving any useful-looking post-its f h ' bifrom the computer room's wastepaper bin
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Accomplice
Using social engineering techniques befriend someone inside the company and try turning them into an accomplice
This could be achieved by:
• Bribing.• Becoming involved in a personal relationship.
This could be achieved by:
Becoming involved in a personal relationship.• Helping the person by understanding his needs.• Exchange for movie tickets, football games, etc.• Handing out gifts such as handphones.g g p
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Attempt Social Engineering by Shoulder SurfingEngineering by Shoulder Surfing
Shoulder surfing is a process of overlooking someone's shoulder in order to gather password or a PIN code and other critical information
Perform the following:
order to gather password or a PIN code and other critical information.
• Gaze into some one’s password or PIN code with the help of binoculars or a low-power telescope
• Coat the keypad with a thin painted ultraviolet material so that you • Coat the keypad with a thin painted ultraviolet material so that you can view the key or PIN entered by the user
• Listen to the keystrokes while a user types a password so that you can judge the number of characters the user’s password contains
• Listen to the telephone keypad when a user dials a PIN to determine the PIN code from the sounds of Dual Tone Multi Frequency tones
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 10: Attempt Social Engineering by Desktop Informationby Desktop Information
Check for the desktop system that is not locked by the user and hack the i h ll i i d i h f h d h h system with all permissions and access rights of the user and gather the
sensitive information.
Use computer’s cache file and gather all recent passwords, websites visited, and cookies which are used to exploit the user’s network access.
Perform desktop social engineering during the office hours when the employees are in the office, but away from their system.
Check for the employees who never lock their draw and keep their files and papers on their desk through which sensitive information like user name, password, and so on can be gathered easily.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
name, password, and so on can be gathered easily.
Step 11: Attempt Social Engineering by Extortion and Blackmailby Extortion and Blackmail
You can attempt blackmail and extortion if your penetration testing contracts allow itcontracts allow it.
This type of pen-test might invoke local police authorities if not handled correctly.
The management and the IT team should be aware of every step in this experiment.
I d b dl b f i Y
Call an employee and threaten him like:
• I was treated very badly because of your customer service. You John Stevens, as a support engineer, you have violated US environmental act 345, 222,563, I will be initiating a lawsuit against you as a person and your firm and report the breeches to the US environmental agency unless
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
the US environmental agency unless……
Step 12: Attempt Social Engineering Using WebsitesEngineering Using Websites
Use fake sites to redirect the employees to give out passwords and other sensitive informationother sensitive information.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Identity Theft and Phishing AttacksPhishing Attacks
Attempt identity theft using employees’ company IDs.
Attempt phishing attacks on company employees and see if you can deceive them.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Try to Obtain Satellite Imagery and Building Blue PrintsImagery and Building Blue Prints
This will help you to locate doors, windows, and exits at the premise
You don’t have to do guess work where to go in the location
The building blueprint can be obtained from the land administration department
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Company Blue Print
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Try to Obtain the Details of an Employee from Social Networks SitesEmployee from Social Networks Sites
Visit social network websites:
• www.orkut.com• www.facebook.com
hi• www.hi5.com• www.myspace.com
Gather the details of employee from the communities that are available in the social network sites
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Social Networks Websites: ScreenshotsScreenshots
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Use Telephone Monitoring Device to Capture ConversationDevice to Capture Conversation
Illegal tie-up with authorized federal agencies may allow t o engage i iin wiretaps
Sensitive information can revealed by illegal recorded phone calls i h h h ' idwithout the other party's consent as evidence
Devices: Telephone recorders and call recorders Devices: Telephone recorders and call recorders
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Use Video Recording Tools to Capture ImagesTools to Capture Images
This will help you to capture the streaming p y p gvideo and snapshots of the victim’s computer screen where you can capture their:
• Passwords. • Credentials .• Personal information.
Tools: Digital Video Recorder and Quick Screen Recorder
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Use Vehicle/Asset Tracking System to Monitor Motor Vehicles System to Monitor Motor Vehicles
Covert tracking system that screens vehicles location via global g y gpositioning system
Devices that locate the approximate area of
• Pro Trak GPS • RF Scout GPS Tracking System
ppthe trailer:
RF Scout GPS Tracking System
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spy Gadgets
Use spy gadgets to get insider information of the organization.
A spy camera system concealed in a decorative clock automatically records images on a removable memory card
py g g g g
automatically records images on a removable memory card upon Video Motion Detection.
A micro camera so small it can sit on a dime with room left A micro camera so small it can sit on a dime with room left over. This black and white CMOS camera weighs just 0.9g without the cable, is 8mm X 8mm X 8mm draws just 15mA, and consumes a minuscule 7 to 12 VDC.
256MB flash memory records up to 9 hours of voice via built in microphone and also holds your favorite MP3s
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
built-in microphone and also holds your favorite MP3s.
Step 19: Identify “Disgruntled Employees” and Engage in Conversation to Extract Sensitive
Information Information
Identify disgruntled employees by overhearing conversation in the company cafeteria
Befriend him and express similar views about the company to extract the following information:
company cafeteria.
• Company policies and IT infrastructure• Work place address and contact address
P l i f i
co pa y to e t act t e o o g o at o :
• Personal information• Bank accounts and credit card numbers• Organization computer network details• Organization policies• Organization policies• Organization structure• Organization functions• Organization future projects
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
g p j• Organization employee details
Step 20: Document Everything
Document your results and findings:
• Name and employee ID• Official email ID and passwords• Personal email ID and passwordsp• Social security number and designation• Workplace address and contact address• Personal information• Bank accounts and credit card numbers• Organization computer network details• Organization policies• Organization structure• Organization functions• Organization future projects
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Organization employee details
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited