09 - Social Engineering

Social engineering is the art of convincing people to reveal confidential information. Social engineers depend on the fact that people are aware of certain valuable information and are careless in protecting it.

Module Objective

The objective of this lab is to help students learn to:

  • Clone a website
  • Obtain usernames and passwords using the Credential Harvester method
  • Generate reports for conducted penetration tests

Scenario

Source: http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/index.htm

Social engineering is essentially the art of gaining access to buildings, systems, or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. The term “social engineering” can also mean an attempt to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. For example, instead of trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee into giving him information that could be used in a hacker attack to win a coveted “black badge” in the “social engineering” contest at the Defcon hackers’ conference in Las Vegas.

In this year's Capture the Flag social engineering contest at DefCon, champion Shane MacDougall used lying, a lucrative (albeit bogus) government contract, and his talent for self-effacing small talk to squeeze the following information out of Wal-Mart:

  • The small-town Canadian Wal-Mart store's janitorial contractor
  • Its cafeteria food-services provider
  • Its employee pay cycle
  • Its staff shift schedule
  • The time managers take their breaks
  • Where they usually go for lunch
  • Type of PC used by the manager
  • Make and version numbers of the computer's operating system, and
  • Its web browser and antivirus software

Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken into the extent of coughing up so much scam-worthy treasure.

Calling from his sound-proofed booth at Defcon MacDougall placed an “urgent” call, broadcast to the entire Defcon audience, to a Wal-Mart store manager in Canada, introducing himself as "Gary Darnell" from Wal-Mart's home office in Bentonville, Ark.

The role-playing Visher (vishing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility of winning a multimillion-dollar government contract.

“Darnell,” said that his job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations.

But first, he told the store manager, he needed a thorough picture of how the store operated.

In the conversation, which lasted about 10 minutes, “Darnell” described himself as a newly hired manager of government logistics.

He also spoke offhand about the contract: “All I know is Wal-Mart can make a ton of cash off it,” he said, then went on to talk about his upcoming visit, keeping up a “steady pattern” about the project and life in Bentonville, Crowley writes.

As if this wasn't bad enough, MacDougall/Darnell directed the manager to an external site to fill out a survey in preparation for his upcoming visit.

The compliant manager obliged, plugging the address into his browser.

When his computer blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT department and get the site unlocked.

After ending the call, stepping out of the booth and accepting his well-earned applause, MacDougall became the first Capture the Flag champion to capture every data point, or flag, on the competition checklist in the three years it has been held at Defcon. Defcon gives contestants two weeks to research their targets. Touchy information such as social security numbers and credit card numbers are verboten, given that Defcon has no great desire to bring the law down on its head.

Defcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law. However, there's no law against broadcasting calls live to an audience, which makes it legal for the Defcon audience to have listened as MacDougall pulled down Wal-Mart's pants.

MacDougall said, “Companies are way more aware of their security. They’ve got firewalls, intrusion detection, log-in systems going into place, so it’s a lot harder for a hacker to break in these days, or to at least break in undetected. So a bunch of hackers now are going to the weakest link, and the link that companies just aren’t protecting, which is the people.”\

MacDougall also shared few best practices to be followed to avoid falling victim to a social engineer:

  • Never be afraid to say no. If something feels wrong, something is wrong
  • An IT department should never be calling asking about operating systems, machines, passwords or email systems—they already know
  • Set up an internal company security word of the day and don’t give any information to anyone who doesn’t know it
  • Keep tabs on what’s on the web. Companies inadvertently release tons of information online, including through employees’ social media sites

I. Social Engineering Penetration Testing using Social Engineering Toolkit (SET)

As a security expert, you should circulate the best practices to be followed among the employees.

Social engineering is an ever-growing threat to organizations all over the world. Social engineering attacks are used to compromise companies every day. Even though there are many hacking tools available with underground hacking communities, a social engineering toolkit is a boon for attackers as it is freely available to use to perform spear-phishing attacks, website attacks, etc. Attackers can draft email messages and attach malicious files and send them to a large number of people using the spear-phishing attack method. Also, the multi-attack method allows utilization of the Java applet, Metasploit browser, Credential Harvester/ Tabnabbing, etc. all at once.

Though numerous sorts of attacks can be performed using this toolkit, this is also a must-have tool for a penetration tester to check for vulnerabilities. SET is the standard for social-engineering penetration tests and is supported heavily by the security community.

As an ethical hacker, penetration tester, or security administrator, you should be extremely familiar with the Social Engineering Toolkit to perform various tests for vulnerabilities on the network.

Lab Objectives

The objective of this lab is to help students learn to:

  • Clone a website
  • Obtain usernames and passwords using the Credential Harvester method
  • Generate reports for conducted penetration tests

Lab Analysis

In this lab, you have learnt how to use encrypting/decrypting commands and generating hashes and checksum files. Analyze and document the results related to the lab exercise.

Module Syllabus

  • What is Social Engineering?
  • Behaviors Vulnerable to Attacks
    • Factors that Make Companies Vulnerable to Attacks
  • Why is Social Engineering Effective?
  • Warning Signs of an Attack
  • Phases of a Social Engineering Attack
  • Impact on the Organization
  • Command Injection Attacks
  • Common Targets of Social Engineering
    • Common Targets of Social Engineering: Office Workers
  • Types of Social Engineering
    • Human-Based Social Engineering
      • Technical Support Example
      • Authority Support Example
      • Human-based Social Engineering: Dumpster Diving
    • Computer-Based Social Engineering
      • Computer-Based Social Engineering: Pop-Ups
      • Computer-Based Social Engineering: Phishing
    • Social Engineering Using SMS
    • Social Engineering by a “Fake SMS Spying Tool”
  • Insider Attack
    • Disgruntled Employee
    • Preventing Insider Threats
  • Common Intrusion Tactics and Strategies for Prevention
  • Social Engineering Through Impersonation on Social Networking Sites
    • Social Engineering Example: LinkedIn Profile
    • Social Engineering on Facebook
    • Social Engineering on Twitter
    • Social Engineering on Orkut
    • Social Engineering on MySpace
  • Risks of Social Networking to Corporate Networks
  • Identity Theft Statistics 2010
    • Identify Theft
    • How to Steal an Identity?
    • STEP 1
    • STEP 2
    • STEP 3
  • Real Steven Gets Huge Credit Card Statement
  • Identity Theft - Serious Problem
  • Social Engineering Countermeasures: Policies
    • Social Engineering Countermeasures
  • How to Detect Phishing Emails?
    • Anti-Phishing Toolbar: Netcraft
    • Anti-Phishing Toolbar: PhishTank
  • Identity Theft Countermeasures
  • Social Engineering Pen Testing
    • Social Engineering Pen Testing: Using Emails
    • Social Engineering Pen Testing: Using Phone
    • Social Engineering Pen Testing: In Person