Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

jan

VIEWS: 25 PAGES: 40

									    Social Engineering Techniques

    Will Vandevanter, Senior Security Consultant
    Danielle Sermer, Business Development Manager




1
    Agenda


    1   Rapid7 Company Overview and Learning Objectives


    2   Social Engineering Techniques


    3   Summary and Q&A




2
  Rapid7 Corporate Profile
Company
• Headquarters: Boston, MA
• Founded 2000, Commercial Launch 2004
• 110+ Employees
• Funded by Bain Capital (Aug. 08) - $9M
• Acquired Metasploit in Oct. 09
Solutions
• Unified Vulnerability Management Products
• Penetration Testing Products
• Professional Services
Customers
• 1,000+ Customers
• SMB, Enterprise                             #1 Fastest growing company for Vuln. Mgmt
• Community of 65,000+
                                              #1 Fastest growing software company in Mass.
Partners
                                              #7 Fastest growing security company in U.S.
• MSSPs
• Security Consultants                        #15 Fastest growing software company in U.S.
• Technology Partners
• Resellers
    Social Engineering Techniques




4
    Will Vandevanter

• Penetration Tester and
  Security Researcher
• Web Application
  Assessments, Internal
  Penetration Testing, and
  Social Engineering
• Disclosures on SAP, Axis2,
  and open source products
• Twitter: @willis__
• will __AT__ rapid7.com



5
    Social Engineering Definition




         “The act of manipulating people
         into performing actions or divulging
         confidential information..”

                        Wikipedia (also sourced on social-engineer.org)




6
    Social Engineering Definition Revisited

    • The act of manipulating
      the human element in
      order to achieve a goal.

    • This is not a new idea.




7
    Visualizing the Enterprise




8
    Goal Orientated Penetration Testing

    • The primary objective of all
      assessments is to demonstrate risk
    • ‘Hack Me’ or ‘We just want to know if
      we are secure’ is not specific enough
    • How do I know what is the most
      important to the business?



9
     How We Use Social Engineering




     • To achieve the goals for the
       assessment
     • To test policies and technologies




10
     Commonalities

     1. Information Gathering
     2. Elicitation and Pretexting
     3. The Payload
     4. Post Exploitation
     5. Covering your tracks



11
     Electronic Social Engineering




12
     Information Gathering

     • White Box vs. Black Box vs. Grey Box
     • Know Your Target
     • Gather Your User List
       –   Email Address Scheming
       –   Document meta-data
       –   Google Dorks
       –   Hoovers, Lead411, LinkedIn, Spoke, Facebook
     • Verify Your User List
     • Test Your Payload
13
     Template 1 – The Fear Factor

• Goal : To obtain user
  credentials without
  tipping off the user

• Identify a user login page
     – Outlook Web Access
     – Corporate or Human
       Resources Login Page
• Information Gathering is
  vital

14
     Pretexting




15
     The Payload




16
     Post Exploitation




17
     How Effective Is it

     • Incredibly Successful
     • Case Study
        – Mid December 2010
        – 80 e-mails sent to various offices and levels of users
        – 41 users submitted their credentials
     • Success varies on certain factors
        –   Centralized vs. Decentralized Locations
        –   Help Desk and internal communication process
        –   Number of e-mails sent
        –   Time of the day and day of the week matter

18
     Controls and Policy

     • Do your users know who contact if they
       receive an e-mail like this?
     • How well is User Awareness Training
       working?
     • How well is compromise detection
       working?
     • Are your mail filters protecting your users?



19
     Template 2 – Security Patch

     • Goal: To have a user run
       an executable providing
       internal access to the
       network.

     • Information Gathering:
        – Egress filtering rules
        – Mail filters
        – AV



20
     Pretexting




21
     The Payload

     • Meterpreter
       Executable
     • Internal Pivot




22
     Post Exploitation




23
     How Effective Is It?

     • Highly Dependent on a high number of factors
     • Atleast 5-10% of users will run it
     • Case Study
       – July 2010
       – ~70 users targeted
       – 12 Connect backs made
     • Success Varies on Many Factors
       – Egress Filtering
       – Mail Server Filters
       – Server and endpoint AV

24
     Controls and Policy

     • Do your users know who contact if they
       receive an e-mail like this?
     • How well is User Awareness Training
       working?
     • How well is compromise detection
       working?
     • Are your mail filters protecting your users?
     • Technical Controls

25
     Tools of The Trade

     • Information Gathering
       – Maltego
       – Shodan
       – Hoovers, Lead411, LinkedIn
     • Social Engineering Toolkit (SET)
     • Social Engineering Framework (SEF)
     • Metasploit

26
     Physical Social Engineering




27
     Information Gathering




         “If you know the enemy and know
         yourself you need not fear the
         results of a hundred battles.”

                                     -Sun Tzu




28
     Information Gathering

     • White Box vs. Black Box vs. Grey Box
     • Know Your Target
     • Pretexting is highly important




29
     Pretexting

     • Props or other
       utilities to create
       the ‘reality’
     • Keep the
       payload and the
       goal in mind
     • Information
       Gathering is key


30
     Template 1 – Removable Media

     • Goal: To have a user either
       insert a USB drive or run a file
       on the USB drive
     • Start with no legitimate access
       to the building
     • Getting it in there is the hard
       part

31
     Pretexting USB Drives

     • The Parking Lot
     • Inside of an Envelope
     • Empathy
     • Bike Messenger, Painter, etc.




32
     Payload

     • AutoRun an executable
     • Malicious PDF
     • Malicious Word Documents




33
     Post Exploitation




34
     Controls and Policies

     • What are the restrictions on portable
       media?
     • Was I able to bypass a control to gain
       access to the building?
     • Technical Controls




35
     Case Study - The Credit Union Heist

     • Goal: “Paul” needed to obtain access
       to the server room at a credit union
     • The room itself is locked and
       accessible via key card only.
     • Information Gathering
     • Pretexting


36
     Gadgets

     • RFID card reader
       and spoofer
     • Pocket Router
     • SpoofApp
     • Lock Picking Tools
     • Uniforms


37
     Closing Thoughts

     • Protecting against Social
       Engineering is extremely
       difficult
     • User Awareness training
       has it’s place
     • Regularly test your users
     • Metrics are absolutely
       critical to success
     • During an assessment
       much of it can be about
       luck

38
     Resources

     • www.social-engineer.org
     • “The Strategems of Social Engineering” – Jayson Street,
       DefCon 18
     • “Open Source Information Gathering” – Chris Gates,
       Brucon 2009
     • Security Metrics: Replacing Fear, Uncertainty, and Doubt –
       Andrew Jaquith




39
     Questions or Comments




40

								
To top