Penetration testing and social engineering

1,237
-1

Published on

Presentation by Yvette du Toit to the University Of Pretoria's honors class of 2011.

This presentation is about penetration testing and social engineering. A walkthrough of a social engineering attack is given in this presentation

Published in: Technology, Art & Photos
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,237
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Penetration testing and social engineering

  1. 1. What  will  we   do  today?    •  Penetra1on  Tes1ng   discussion   •  Non-­‐tech  view   –  Types  of  services   –  Dark  side?  •  Social  Engineering   •  Interac1ve   –  Real-­‐life  examples    
  2. 2. Penetra1on   Tes1ng      •  What?   –  Rude  word……   –  What  do  you  think?  
  3. 3. Breakdown    •  Build  Review   •  WLAN  •  Infrastructure   •  Database  •  Applica1on   •  AD  •  Code  Review  •  Reverse  Engineering  •  MVS  (PCI,  Int,  Ext  etc)  
  4. 4. Ops  J    •  Client  discussions   •  Report  •  Proposal   •  Invoice  •  Acceptance  /  PO  •  Rest  of  paperwork   (SOW  et  al)  •  Resources  /  Schedule  •  Delivery  
  5. 5. Oops    L    •  What  can  go  wrong?   –  DoS   –  Wrong  scope   –  Mis-­‐match  resources   –  Dissa1sfied  clients   –  Non-­‐payment  
  6. 6. Social   Engineering   (SE)    •  Art  of  decep1on?   –  Manipula1on   –  Disclosure  •  What  do  you  see  as  SE?   –  Examples  
  7. 7. SE:  Anatomy    •  Agree  scope   –  What  is  in?   –  What  is  out?  MAKE  THIS  VERY  CLEAR  •  Reconnaissance   –  Onsite   –  Web   –  News  
  8. 8. SE:  Anatomy   Cont’d    •  Plan  based  on  reconnaissance   –  Approximate  idea  of  execu1on   –  Poten1al  back-­‐up  plans  of  delivery  failure   –  Changing  course  based  on  scenario  
  9. 9. SE:   Characteris1cs     &  Tools     CHARACTERISTICS   TOOLS  •  Guts   •  Internet  •  Keep  calm   •  Google  Earth  •  Think  on  your  feet   •  Charm  •  Change  tac1cs  whilst   •  Manners   keeping  your  wits   •  Gadgets  (phone,   about  you   camera)        
  10. 10. SE:   Outcome  /   Results  •  Report  •  Evidence  (MOST  IMPORTANT)      
  11. 11. SE:  Example  •  Crea1ng  a  fake  email  account  with  a  real   person’s  name.    •  Ellen  belongs  to  a  company  loosely   affiliated  with  the  target.  
  12. 12. SE:  Example   Cont’d  •  Sending  an  email  from  “Ellen”  to  many   hundreds  of  employees  of  the  target   company.    •  The  email  contents  is  based  on  a  real  event   that  the  target  company  held  (gleaned  from   their  news  website).    •  The  email  encourages  people  to  visit  a   website,  which  appears  to  be  legi1mate.    
  13. 13. SE:  Example   Cont’d     •  The  website  is  a  duplicate  of  the  target   company  website,  with  a  few  minor   modifica1ons  to  go  along  with  the  farcical   story  from  the  email.     •  The  page  a]empts  to  run  a  Java  applet   (next  slide).  
  14. 14. SE:  Example   Cont’d     •  Should  the  user  click  yes  to  running  the   applet  from  the  site,  some  hos1le  Java  will   execute  which  will  compromise  the   machine,  and  give  the  a]acker  full  control   (as  in  next  slide)  
  15. 15. SE:  Example   Cont’d     •  Pwnd  ;)     •  Logs  of  people  visi1ng  the  site  
  16. 16. SE:  Example   Cont’d  •  Oddly  enough,  a  real  employee  (Fred)   replied  to  the  a]acker  with  real  comments   about  the  site.    •  This  was  useful  as  it  gave  us  his  name  /   email  signature  etc.  which  could  be  used  to   create  another  fake  email  account  abusing   his  informa1on.  
  17. 17. SE:  Example   Cont’d     Crea1ng  a  fake  account  for  target  company   employee  Fred  
  18. 18. SE:  Example   Cont’d  •  The  en1re  email  is  forged  from  Fred,  but  it   appears  as  though  he  is  forwarding  on  an   email  –  which  is  made  to  look  like  it  came   from  a  real  employee.    •  Here  we  abuse  the  chain  of  trust.    •  The  email  encourages  users  to  go  to  a   Microsob  website  to  download  an  urgent   update  
  19. 19. SE:  Example   Cont’d       •  The  a]acker  has  downloaded  a  real  MS   update,  but  sneakily  inserted  some  hos1le   code  (The  “hot”  file).     •  This  is  hosted  on  a  fake  MS  website  (next   slide)  
  20. 20. SE:  Example   Cont’d     Looks  legit?  Almost  too  good  to  be  true.  
  21. 21. SE:  Example   Cont’d     •  Here  we  see  a  user  downloading  and   running  the  file-­‐  the  result  of  which  his  AV   being  killed,  a  screenshot  of  his  desktop   being  taken,  and  full  control  of  his  machine   given  to  the  a]acker.   •  Game  over.  
  22. 22.        Ques1ons  
  23. 23. Contact   Details  Name:  Yve]e  du  Toit  Email:    yve]e@sensepost.com  

×