1. What
will
we
do
today?
• Penetra1on
Tes1ng
discussion
• Non-‐tech
view
– Types
of
services
– Dark
side?
• Social
Engineering
• Interac1ve
– Real-‐life
examples
2. Penetra1on
Tes1ng
• What?
– Rude
word……
– What
do
you
think?
4. Ops
J
• Client
discussions
• Report
• Proposal
• Invoice
• Acceptance
/
PO
• Rest
of
paperwork
(SOW
et
al)
• Resources
/
Schedule
• Delivery
5. Oops
L
• What
can
go
wrong?
– DoS
– Wrong
scope
– Mis-‐match
resources
– Dissa1sfied
clients
– Non-‐payment
6. Social
Engineering
(SE)
• Art
of
decep1on?
– Manipula1on
– Disclosure
• What
do
you
see
as
SE?
– Examples
7. SE:
Anatomy
• Agree
scope
– What
is
in?
– What
is
out?
MAKE
THIS
VERY
CLEAR
• Reconnaissance
– Onsite
– Web
– News
8. SE:
Anatomy
Cont’d
• Plan
based
on
reconnaissance
– Approximate
idea
of
execu1on
– Poten1al
back-‐up
plans
of
delivery
failure
– Changing
course
based
on
scenario
9. SE:
Characteris1cs
&
Tools
CHARACTERISTICS
TOOLS
• Guts
• Internet
• Keep
calm
• Google
Earth
• Think
on
your
feet
• Charm
• Change
tac1cs
whilst
• Manners
keeping
your
wits
• Gadgets
(phone,
about
you
camera)
11. SE:
Example
• Crea1ng
a
fake
email
account
with
a
real
person’s
name.
• Ellen
belongs
to
a
company
loosely
affiliated
with
the
target.
12. SE:
Example
Cont’d
• Sending
an
email
from
“Ellen”
to
many
hundreds
of
employees
of
the
target
company.
• The
email
contents
is
based
on
a
real
event
that
the
target
company
held
(gleaned
from
their
news
website).
• The
email
encourages
people
to
visit
a
website,
which
appears
to
be
legi1mate.
13. SE:
Example
Cont’d
• The
website
is
a
duplicate
of
the
target
company
website,
with
a
few
minor
modifica1ons
to
go
along
with
the
farcical
story
from
the
email.
• The
page
a]empts
to
run
a
Java
applet
(next
slide).
14. SE:
Example
Cont’d
• Should
the
user
click
yes
to
running
the
applet
from
the
site,
some
hos1le
Java
will
execute
which
will
compromise
the
machine,
and
give
the
a]acker
full
control
(as
in
next
slide)
15. SE:
Example
Cont’d
• Pwnd
;)
• Logs
of
people
visi1ng
the
site
16. SE:
Example
Cont’d
• Oddly
enough,
a
real
employee
(Fred)
replied
to
the
a]acker
with
real
comments
about
the
site.
• This
was
useful
as
it
gave
us
his
name
/
email
signature
etc.
which
could
be
used
to
create
another
fake
email
account
abusing
his
informa1on.
17. SE:
Example
Cont’d
Crea1ng
a
fake
account
for
target
company
employee
Fred
18. SE:
Example
Cont’d
• The
en1re
email
is
forged
from
Fred,
but
it
appears
as
though
he
is
forwarding
on
an
email
–
which
is
made
to
look
like
it
came
from
a
real
employee.
• Here
we
abuse
the
chain
of
trust.
• The
email
encourages
users
to
go
to
a
Microsob
website
to
download
an
urgent
update
19. SE:
Example
Cont’d
• The
a]acker
has
downloaded
a
real
MS
update,
but
sneakily
inserted
some
hos1le
code
(The
“hot”
file).
• This
is
hosted
on
a
fake
MS
website
(next
slide)
20. SE:
Example
Cont’d
Looks
legit?
Almost
too
good
to
be
true.
21. SE:
Example
Cont’d
• Here
we
see
a
user
downloading
and
running
the
file-‐
the
result
of
which
his
AV
being
killed,
a
screenshot
of
his
desktop
being
taken,
and
full
control
of
his
machine
given
to
the
a]acker.
• Game
over.
22.
Ques1ons
23. Contact
Details
Name:
Yve]e
du
Toit
Email:
yve]e@sensepost.com