Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Aart of decieving humans
humans a.k.a Social
Engineering
Suraj Khetani
Regional Asscoiate Security Consultant
Gulf Bus...
#uname -a
• Security Consultant – 3.5 years experience
• Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA
• 3rd...
Topics
• Social engineering and its different types
• Open Source Intelligence Gathering (OSINT) and how it
can be used in...
What is Social
Engineering
“Social engineering, in the context of information security,
refers to psychological manipulati...
Requirements for Social
Engineering
• Information about the person or about the organization
being targeted to create what...
What is OSINT
• Open Source Intelligence (OSINT) – data that can be
collected from publicly available sources.
• Media: ne...
Pretext
• It is an invented or fabricated scenario that uses the
gathered information to target the users in various form ...
Different types
• Phishing
• Baiting - uses physical media and relies on the curiosity or
greed of the victim. In this att...
OSINT tools
• Google hacking database (GHDB) – used to find exploitable
targets and potentially sensitive data using googl...
Live Demo - OSINT
Case Study – Phishing
Assessment
Requirements
• Pretext
• Users email address
• Portal to be phished
• Phishing domain and hosting website
• Email Signatur...
Phishing page
Phishing mail
Creating a phishing page
which logs user
credentials – Live Demo
Creating a malicious
office document to
compromise an end user
– Live Demo
Defenses
• Run security awareness campaigns on a regular basis
• Always check the source if you find any thing fishy about...
Upcoming SlideShare
Loading in …5
×

of

The art of deceiving humans a.k.a social engineering Slide 1 The art of deceiving humans a.k.a social engineering Slide 2 The art of deceiving humans a.k.a social engineering Slide 3 The art of deceiving humans a.k.a social engineering Slide 4 The art of deceiving humans a.k.a social engineering Slide 5 The art of deceiving humans a.k.a social engineering Slide 6 The art of deceiving humans a.k.a social engineering Slide 7 The art of deceiving humans a.k.a social engineering Slide 8 The art of deceiving humans a.k.a social engineering Slide 9 The art of deceiving humans a.k.a social engineering Slide 10 The art of deceiving humans a.k.a social engineering Slide 11 The art of deceiving humans a.k.a social engineering Slide 12 The art of deceiving humans a.k.a social engineering Slide 13 The art of deceiving humans a.k.a social engineering Slide 14 The art of deceiving humans a.k.a social engineering Slide 15 The art of deceiving humans a.k.a social engineering Slide 16 The art of deceiving humans a.k.a social engineering Slide 17
Upcoming SlideShare
Securing broken access controls on Oracle E-business suite
Next
Download to read offline and view in fullscreen.

2 Likes

Share

Download to read offline

The art of deceiving humans a.k.a social engineering

Download to read offline

The most used attack vector by hackers: Social engineering

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

The art of deceiving humans a.k.a social engineering

  1. 1. The Aart of decieving humans humans a.k.a Social Engineering Suraj Khetani Regional Asscoiate Security Consultant Gulf Business Machines
  2. 2. #uname -a • Security Consultant – 3.5 years experience • Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA • 3rd Place at Social Engineering CTF at Nullcon 2017 • Discovered 12 0-day’s on Oracle E-Business Suite • Article: “How I used google dorks to find 0 days” Hobbies • Learner/Researcher • Current research interests: Deserialization vulnerabilities, IoT stuff, electronic security • Former Hip-hop Dance instructor • Fitness Enthusiast and cricket lover; Played for UAE under-14
  3. 3. Topics • Social engineering and its different types • Open Source Intelligence Gathering (OSINT) and how it can be used in Social engineering • Live demo - OSINT • Case Study - Phishing assessment • Live demo - Creating a phishing page • Live demo - Creating a malicious Microsoft office document • Defenses
  4. 4. What is Social Engineering “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access” – Source Wikipedia
  5. 5. Requirements for Social Engineering • Information about the person or about the organization being targeted to create what is something called a pretext. • OSINT • Pretext
  6. 6. What is OSINT • Open Source Intelligence (OSINT) – data that can be collected from publicly available sources. • Media: newspapers, magazines, radio, television, and computer- based information. • Web-based communities and user-generated content: social- networking sites, video sharing sites, wikis, blogs, and folksonomies. • Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
  7. 7. Pretext • It is an invented or fabricated scenario that uses the gathered information to target the users in various form of social engineering attacks.
  8. 8. Different types • Phishing • Baiting - uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware- infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.) • Vishing - It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. • Tailgating - An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card,
  9. 9. OSINT tools • Google hacking database (GHDB) – used to find exploitable targets and potentially sensitive data using google search engine • PassiveRecon – Firefox addon to automate google hacking and perform dns recon • Dnsdumpster – enumerating/mapping subdomains and gathering IPs • FOCA – meta data analyzer • Datasploit – uses various search engine APIs to gather information. • Shodan - Search engine for Internet-connected devices.
  10. 10. Live Demo - OSINT
  11. 11. Case Study – Phishing Assessment
  12. 12. Requirements • Pretext • Users email address • Portal to be phished • Phishing domain and hosting website • Email Signatures • Font and color of email • Non assertive, non compelling email with no grammatical mistakes
  13. 13. Phishing page
  14. 14. Phishing mail
  15. 15. Creating a phishing page which logs user credentials – Live Demo
  16. 16. Creating a malicious office document to compromise an end user – Live Demo
  17. 17. Defenses • Run security awareness campaigns on a regular basis • Always check the source if you find any thing fishy about the phone call or email. Weakest point of a social engineer is that the source does not exist • Always update software and apply missing patches • Always hover over links to check for the exact URL
  • VeronicaLopez183686

    Nov. 27, 2021
  • ZiedBELGHITH

    Dec. 29, 2020

The most used attack vector by hackers: Social engineering

Views

Total views

428

On Slideshare

0

From embeds

0

Number of embeds

38

Actions

Downloads

10

Shares

0

Comments

0

Likes

2

×