MODULE OBJECTIVE Learn how to implement a comprehensive penetration testing methodology for assessing human behaviors against possible social engineering attacks.‘The objective of performing social engineering penetration testing isto test the strength of human factors in a security chain within the organization Social Engineering Penetration Testing ECSA Social engineering pen test is often used to raise the level of securty awareness among employees by allowing them to experience areal attack, without having an actual breach ‘The tester should demonstrate extreme care and professionalism during a social engineering pen test ‘and also when presenting the results of the test. You ‘don't want to break any laws, violate a client's privacy, o do anything that may result in an ‘embarrassing situation forthe organization ‘There are mainly three diferent ways by which you can conduct social engineering penetration testing: © Vishing © Phishing © PhysiSkills Required to Perform Social Engineering Pen Test ECSA Creativity Good interpersonal skills TC Talkative and friendly natureCommon Targets of Social Engineering Pen Test ve dae paste Vendors ofthe ‘Support executives —Do Remember: Before Social Engineering Pen Test ECSA “Be aware of local laws as some of your actions may infringe on them.”Do Remember: Before Social Engineering Pen Test (Cont'd) ECSA “Be aware of social engineering pretext agreed to in ROE.”Black Box or White Box? ECSA @ Inwhite box social engineering penetration testing, you will be provided with phone numbers, e-mail addresses, locations of the targets the client want to be tested 1G In black box social engineering penetration testing, you need to obtain this information from intelligence (OSINT) techniquesSocial Engineering Penetration Testing Steps ECSA Step 1 __Attempt Social Engineering Using Email Step2 Attempt Social Engineering Using Phishing Step __Attempt Social Engineering Using the Phone (Vishing) Step 4 Visit the Company as an Inquirer and Extract Privileged Information StepS __Visitthe Company Locality Step Attempt to Use Fake ID to Gain Access Step Attempt Piggybackng/Talgsting Step 8 __Usten to Employee Conversation in Communal Areas/ Cafeteria ‘Step ® ently “isgruntied Employees" and Engage in Conversation to Extract Sensitive Information Step 10 Attempt Eavesdropping Step 11 Tryto Shoulder Sur Uses Logging On Step 12 Attempt Media Dropping Step 13 Attempt Dumpster DivingECSA Social Engineering Penetration Testing using E-mail Attack VectorAttempt Social Engineering using Email 47° ‘a Create a web page that spoofs the company's Identity ‘@ Send an email to someone in the company to visit tto://x.x.x.x/login.asp? and ‘ask them to login again to activate the server upgrade \@ Make the email look legitimate and real (company fonts, colors, logo, etc.)Ooi: ee yee asa ee Send sweepstakes (like lottery, gifts) information to users, and ask them to provide their name, email ID, password, and address through an ‘online form | sao | == @ Another way to obtain information online is by posing as a network administrator and sending emails to users requesting them to provide a passwordExample of Social Engineering using Email (Cont'd) ECSAAttempt Social Engineering using Phishing ECSA (© Use fake websites to redirect employees to give out passwords and other sensitive information 1@ Pop-ups can be used to trick usersinto clicking hyperlinks that redirect them to fake web pages asking for personal information {@ Send an email to employees and provide a link for a fake site that looks similar to the original &y*-@ =.Launch a Phishing Campaign ECSA @ Launch a Phishing campaign on the organization using different frameworks such as Phishing Frenzy, LUCY, Social-Engineer ‘Toolkit (SET), SpeedPhish Framework (SPF), Gophish, etc. Phishing FrenzyLaunch a Phishing Campaign (Cont'd) ECSA T 7 1 1Launch a Phishing Campaign (Cont’d) ECSA Social-Engineer Toolkit (SET) SpeedPhish Framework (SPF)Launch a Phishing Campaign (Cont'd) ECSA GophishECSA Social Engineering Penetration Testing using Telephone Attack VectorAttempt Social Engineering using the Phone (Vishing) ECSA © Contact or schedule information for other employees © Actas a customer looking for sensitive information © Pose as an employee who forgot © Usernames and passwords their password © Trick employees into running ‘commands on their computer and giving you information © Pretend to be a technical support member to trick staffExample of Social Engineering using the Phone ECSA Call the company's help desk and ask for sensitive infor Cathe receptionist, engage in conversation, and extract various contact details of the company E35) Make t look realistic rehearse many times before = youcall Have backup answers for every question you throw at the target person 8) Record the conversation, reporting purposesECSA Social Engineering Penetration Testing using Physical Attack VectorVisit the Company as an Inquirer and Extract Privileged ECSA Information |@ Visit the company’s physical premises and pose ‘questions to the receptionist: © Lamanew customer, and lam interested in your products, Do you havea catalog? © would tke to meet your vice president. Do you know haw | ean contact him? {© What time do you usually pen and close? © Do you have any office other than this? © Do you have any other telephone numbers other than the one posted onthe website? @ Take a picture of the premises using @ phone © Askif you can use the restroom, ifthe company hasan internal restroom, and observe various rooms (take photos if you can) Example “Hi, 'm Sharon, I'm a sales rep out of the New York office. | know this is short notice, but / have a group of prospective clients out in the car that I've been trying for months to get to outsource their security training needs to us. They're located just a few miles away and | think that, if|can give them a quick tour of our {facilities, it should be enough to push them over the edge and get them to sign up. Oh yeah, they are particularly interested in what security precautions we've adopted. Seems someone hacked into their website a while back, which is one of the reasons they're considering our company.”Visit the Company Locality ECSA © Visit the company location to gather general information, such as number of people working in the company, names and phone numbers of the important persons from other sources such as: © Ancillary staff, such as maintenance or cleaning personnel © Neighboring shopkeepers and vendorsAttempt to Use Fake ID to Gain Access ECSA Create an ID/badges that looks authentic and see if you can enter into the office/restricted areas using the fake IdentityAttempt Piggybacking/Tailgating ECSA Try getting into an office (or restricted areas with authentic staff without having to show a valid ID. Use Piggybacking or ‘Tailgating techniquesListen to Employee Conversation in Communal ‘i ECSA Areas/ Cafeteria at Ty to listen to employee conversations in communal areas, such as cafeterias or hallways Listen for details such as the latest projects going ‘on within the company, the names of key personnel cor other useful information that could be exploited, Including disgruntled employeesIdentify “Disgruntled Employees” and Engage in ECSA Conversation to Extract Sensitive Information eet ae @ Identify the disgruntled employees by overhearing conversation in the company cafeteria ‘D)_ Befriend him/her and express similar views about the company to extract the following information Company's polices and I infrastructure Workplace address and contact information Personal information Organization's computer network details Organizations policies Organization's structure Organization's functions ‘Organization's future projects Organization's employee detailsAttempt Eavesdropping ECSA {© Try to obtain information by ‘eavesdropping on conversations that others are having in person, ‘over the phone or by video conference Look for confidential information in documents that are left in plain sightTry to Shoulder Surf Users Logging On ECSA |@ Walk or stand behind someone as they are typing and look at what's on their screen. Note any confidential information that is viewable {© Attempt to obtain someone's PIN or password as they enter it on their keyboard. If ou are not able to get close to thems they are typing, use binoculars ‘ora low-power telescope to observe them from afarAttempt Media Dropping ECSA © Drop a media somewhere conspicuous, lke parking lot or building entrance area o | You can use media like a USB flash drive a containing malicious software, when inserted 7 into the computer it will automatically run and then launch a client-side attack when opened |@ You could also pose as a potential employee and see if someone will print your resume from your USB flash driveAttempt Dumpster Diving ECSA @ Dumpster diving is looking for treasure in someone else's trash ©@ Look through trash cans and paper bins inside and outside of office buildings. Look for the following: © Phone bills © Contact information © Financial information © Operations-related information '@ Also look on employee desks and under their keyboards for sticky notes or other documents containing confidential information, including usernames and passwordsDocument the Result ECSA 1 Note down vulnerable targets (people) that you find vulnerable to social engineering attacks along with their name, contact details, department, etc.Social Engineering Countermeasures and Recommendations ECSA Png tee ceca ns Tain employees/help desk to never reveal passwords r other information by phone. Enforce policies for the font office and help desk personnel ‘Tain technical support executives and system administrators to never reveal passwords or ther information by phone ar email Implement strict badge, token or biometric authentication, employee training, nd security guards Employee training, best practices and checklists fr using passwords. Escort al guests Eveate vendors about socal engineering Lock and monitor mail room, employee training Keep phone closets, server rooms, et. locked a all times and keep updated inventory on equipment ‘Train executives to never reveal Identity, passwords or other confidential information by phone or email keep all rash in secured, monitored areas, shred important data erase magnetic media