← All talks

Avoiding the Social Engineering Hangover

BSides Detroit50:54107 viewsPublished 2012-06Watch on YouTube ↗
About this talk
Elizabeth Martin talks to us about the need to properly scope your SE engagement to meet the needs of the business among other issues she has encountered.
Show transcript [en]

engineering or little tips and tricks and things like that what I'm going to talk about is how to actually plan execute and deliver a professional engagement um so I think you heard enough about who I am uh I've done I would say probably more social engineering I've done more social engineering uh engagements than a lot of the people I know I you know it just doesn't really seem to be a very popular uh assessment phase but I've been doing it for about 10 plus years um and so I really what I wanted to do is share sort of how I execute with you so the goals of a professional social engineering assessment is to be a

be professional and I that maybe that seems like it goes without saying but it doesn't um you have to be very organized and methodical and most importantly you have to provide value to the company this talk was kind of born from an experience I had with another Consulting organization that had essentially just kind of thrown somebody on site and said okay drop a USB and you know see what happens and they got in and they got admin rights and they're like woohoo well you know Consulting engagements or delivering Professional Services like that um you know there's a meth methodology and and process to it but most most importantly what you want to do is test the client and their policies

right and provide value to the company so what does that mean um and one thing I do want to point out to let me ask of the audience how many people here are Security Consultants or practitioners vendor focused one two Stephen three four uh and then how many folks are internal security folks okay so I guess as I'm going through this talk you know I'm I'm sharing the methodology and the process for the purpose of if you have to deliver these types of engagements but I would also encourage you if you're an internal individual to use this as a gauge for um assessing any vendors that you call in to do social engineering so these are some of the core components

that will differentiate whether or not um you know they're executing in a professional manner so what is it mean you know what I described earlier um you want to make sure through this process that you have very clearly defined goals and objectives very specific and I'll get into a little bit more detail later on and what that actually means um you want to be able to illustrate your approach and your plan to the client prior to beginning even even your initial very first discussion you want to be able to clearly outline the steps that you would take or the phased approach that you would take uh data collection and organization is an extremely important piece of delivering

these types of engagements and it's the most challenging uh that's why I call it that social engineering hangover because at the end of the day you have all of this information and data and it can be you know difficult to manage and then you have to actually present your findings in a manner that can be consumed by the sea level and the end users so it's important to note that at the end of the day your findings and recommendations they really are going to be targeted towards the non-it and non-security folks so you have to sort of keep that in your mind while you're developing your presentation so this is my my uh go-to what's wrong with security guy he's my

poster child so this is kind of he's saying dude I just dropped a USB in their parking lot and I got to toal admin rights now he's off drinking beer right and then his finding is you suck and your employees suck and I win I won the contest you know and his recommendation is don't click and don't be dumb like thanks that was really helpful um I'll just let you guys read what I think about that this is it frustrates me and this is kind of a situation that that you know inspired me to write this talk so as we go through this I want to if we can is make this as collaborative as possible so that we can sort of have

a case study and as we're going through the talks I want to apply it to a very specific type scenario um so this scenario that we're going to start with it's a midsize manufacturing client I swear to God we did Stephen and I did not plan this uh midsize manufacturing client about 5,000 employees they have multiple physical locations um testing will be in scope for corporate location and one plant and this is one phase of an Enterprise assessment all right so I'm going to open this up to you guys let me ask you what do you think we need to know when we start a social engineering engagement what what types of questions do we need to

ask what we all right good what can we not

do good good what are the communication methods anyone

else yep exactly

goals yep restraints are very important exactly that's and I'm going to start going through flipping through the slides but that's the number one question um that's the place to start why do you want to do this and it's extremely important to understand the driver and the individual that's driving it because that individual you regardless you're likely inter interfacing with a Security administrator or security manager or maybe the ceso or director of security um it's very important to understand if it's driven by the sea levels or if it's driven by the security organization because to some degree you may actually have to manage the security organization right um so you know it's important to understand is it driven by

compliance so a lot of online banks require pretexting um you know there's not a whole lot of other compliance requirements that require social engineering but is it is it because of an incident did something actually happen and suddenly this you know has become a problem or is it of course some type of CNN type driving or you know some executive read the back of an airline magazine or something like that so the second thing so now we understand okay in this particular case study let's say that um well I'm I'll actually get to that in a second but the second question we need to understand is do you have a policy right what are your existing

policies because you you know we really should be testing something very specific which would be spe specific policies and procedures uh do you have an awareness program are your end users pretty aware of information security have they ever been trained um how often are they trained what's the content of the training really getting a good feel for whether you believe it's going to be free rame with the end users or if you know they have at least a degree of what to and what not to allow and then what are your technical controls what what are your the technical controls that you have in place do you have fishing um spam fishing and spam protection do you

you know require SSL on your public website um DLP USB controls anti-malware things like that now all of this sort of gives you a good understanding of the technical and culture and the maturity level of that company um so usually when you're having this initial conversation um you find out a lot of information that tells you a lot about the company oh and then the other question is is this going to be blind or informed so are you going to give me some information that I can use or am I walking into each of these locations blind with no information and then Gathering what I can publicly so here's the answers that we got so we asked all these questions um

and and this is all occurring via kickoff call right so this is about a one hour call where you ask these questions and get this information so the answers in this particular case study is we need to do it um I know it's a problem and this is a senior security manager they've had a few incidents at the p in the past um and this is at the direction of Senior Management that they want to improve their existing policies and procedures uh do they have a policy yes they've had a policy in place for about two years it is about 50 pages it contains technical policies as well as enduser based policies uh next question awareness

program yes uh we well yeah no yes kind well kind of yeah we do well sort of all right hold on a second here um and this I don't know why but almost every single solitary client I talk to um they fall down on this answer and they stumble over their words I think they're a little bit embarrassed but so you have to drill into that a little bit more okay do you have annual awareness training that's delivered via CBT or um onsite you know physical delivery uh no okay uh do you do training at new hire yeah we train we provide the AUP and HR trains against the AUP uh the AUP okay is this AUP

different than the policy you just explained no no no it's all in the same policy okay so what you're saying is HR is training on the 50 page policy at new hire correct all right good I'm crystal clear I understand exactly what's going on here so the next answers we get that um in regards to technical controls is Spam fishing of course we have those that degree of protection we've had some tools in place for quite a while no we don't use SSL by default on our public website no we don't really have two factor for our owwa or Citrix environment but we're we're probably going to do that sometime um active directory is exposed

to the internet via the citric servers uh there's no USB or DLP controls and in fact you know now they start really dishing out a lot more information that you didn't even ask they've had maware issues in the past the end users have admin rights uh They Don't Really control the software that's deployed um certainly end users have disabled AV for one reason or another and they do not have web content filtering so these are kind of the answers that we got about this organization

so tell me what what do you think this organization's profile is so it's a a midsize Manufacturing Company 5,000 employees and [Music] um 5,000 employees in multiple locations so what do you think this the maturity level of this organiz a is okay two out of five right why why is the maturity level important when you're talking about social

engineering exactly and so now as you're going into this what are you going to test

yep now so maturity level they're immature where do they need to improve probably everywhere right um which areas are so easy that it would not even make sense to test right so these are kind of the questions you have to ask yourself um because don't forget we're in the so I didn't mention this we're in the scoping phase of of this engagement right so everything you do costs money so you have to make sure you can do it within a budget and you have to make sure you're delivering value for those dollars spent so and then you have to ask yourself okay wh which areas do they need to likely improve the most and where how can I execute this testing in

the areas that would apply to them so with the given that there's two aspects of social engineering there's physical social engineering and there is technical social engineering uh now based on this what what do you think we should start with and where where do you think that we should begin our testing or or focus on for this particular engagement both how how deep do you think we should go with both of them meaning fundamental yep

good

point good you guys are writing this for me yep and and that's exactly what um oh and here's the other question what shouldn't we do this is a client's money right so that's kind of what we're thinking about so here's here's me the happy little consultant you know as a pentester you sit there and you think oh this is going to be so much fun I will with all the lack of controls there's 10 different ways that I can get get in and I'm just going to smoke you um my opinion is that there's no value in that I I already know it's going to it's going to be so completely easy from a technical standpoint

fishing USBS you know I know there's no question in my mind how easy it will be so what I sort of decided uh no technical testing unless there's some very specific areas that they want to understand how at risk they are and they need you know some degree of evidence to Champion some solution or budget or something like that other than that I my recommendation to the client is listen put some controls in place and then we can test them technically uh you know we need to go through some degree of improvement here but I don't really need to do testing to know that you know we can execute a successful fishing attempt against your

end users so we decided some basic physical and remote testing um and remote being just phone and reconnaissance and things like that and like you said I'm sorry what's your name you sir yeah Derek like you said Derek fundamental level of testing so this this engagement the purpose of it is not to uh prove how smart I am right it's for the purpose of testing your people and your end users so as I'm developing my shtick I'm going to give the the end users or whoever I'm testing I'm going to give them some pretty obvious ways to catch me and turn me down right I'm going to give them some opportunities I'm I'm not going to go in

all sneaky and tricky um because you know that's kind of not really what I'm there to do it's not to prove how smart or tricky I am it's a good it it is exactly so for example um and I have some of these examples later on but you had mentioned Stephen that that you uh approach the organization as an IT consultant right so somebody says what are you doing here and you say I'm an IT consultant I'm here to test Wireless I say I'm with it I'm checking the systems and they're like it who what systems and I'm like the ones over there or there and they're like what oh all right well just go okay now if they keep

probing me I'm here the the systems that are connected to the network I'm here to test Wireless I'm you know I'll provide that more detailed but I start off with very vague yeah so that's kind of what I'm referring to um and so you have to also balance when you give some obvious opportunities to get caught uh you can impact your testing right so your whole gig can be up if you if you make a mistake and somebody Tes you so you have to just sort of balance between the validity of the test as Stephen mentioned um you know giving them the opportunity to catch you and then you know maintaining the ability to com to continue

testing so we've gathered all of this information so with the pre-project call so now we're at the point in the kickoff call um that we want to start Gathering additional details right so first first thing we want to ask is what are the targets so the client may not know what their target should be my experience is for the most part is these are organizations that are going through this the very first time so for the purpose of our case study um this is the first time they're going through this assessment they don't really know what their targets are so you have to sort of guide them through picking the targets whether it be physical locations people

or particular data sets and and also so service offerings right so they may have a help desk or this or that that they may want tested so the next thing as you're going through this also clients don't really know what to expect so I don't recommend starting the conversation with asking okay what can't I do what you're going to want to do is illustrate to them what your typical plan and approach is give them some good idea about what you're going to be doing and from there then they'll get a better idea aide of what you're going to be doing and they can they can demonstrate some or you know share some of the restraints with you

but you know let them know okay first we're going to do reconnaissance we're going to make some phone calls get some information about your environment next we're going to you know visit the physical sites after hours and see what type of access we can grant or you know gain access to or even you know execute some of the testing we'll do some Pro probing but they do have to understand you know these plans are not set and stone um it's a very fluid process you don't really know what's going to happen or um you know what opportunities might present themselves to you as you're doing the testing so it is a fluid process but giving them a very clear

idea of what your plan is um will help them sort of give you the information that you need so I I think I talked about restraints um at the close I would recom you know recommend saving this for later in the conversation ask them about locations hours people approaches you know any type of um impersonation that you plan on executing for example you know is it off limits for me to impersonate an IT person an employee um do you have anything to add to that

Stephen A lot

issues yeah and that is against the law to impersonate so some of these things that does go without saying rightest area where a lot of my colleagues have

yes I and I've had situations like that vice president and H him his home tell Vice pres called the m and all wow that's pretty far I personally probably wouldn't and that's something to think about that's something that you do have to consider as you're going through this um the personal aspects of it are very important in understanding how far you can go the biggest I I don't recommend even delving into or touching anything associated with end users at all there's just no need for that executives are a different story right so I've had situations where I've driven to the executive's house and taken a picture now whether or not I use that and put

that into the deliverable you want to clear with your client because you know you're talking about people's families and lives and things um so that's definitely an important piece of it the other thing too something to keep in mind is ask about any guards or you know security monitoring security alerting physical I've done a lot of engagements for state agencies and and most of them are you know there's guys with guns that respond if the alarms go off and we came pretty close to that actually happening uh so it's important to note we what had happened was is we were in this location and we had found the a bunch of codes for the physical uh security system and

for whatever reason my partner in crime didn't enter it properly and the alarms went off and they're supposed to be there like they they're like they will be there with guns drawn within 3 minutes so we got just got the hell out of there all right so the other thing in the kickoff call is get out of jail free card this one's kind of obvious you know you can get a basic language you might want to have it signed by an officer of the company any ideas why so here's just a little picture for you this is a picture this is a real story the CFO telling me escorting me into a conference room saying sit right

right here don't move while I while I uh notify the authorities it was the only time only once in every single time I've done this have I ever had to dish out my get out of jail free card I I've can always get out of it I get out of it I have a million different ways to get out of things but this was the first time I really really really got caught he was not happy he wasn't happy because he didn't know about this test I was in his office space I was you know rifling through his employees um you know files and things like that it was a CFO and I mean it I

was busted in a bad way and even the questions he asked me I'm like oh I'm here you know it systems whatever and he's like why do you have papers in your hand just what what what and I'm like well and I did still did pretty well but he was just not happy so I actually did just you know in the interest of following best practice I contacted a lawyer and I'm like just riddle me this are there scenarios by which you know I'm legally responsible for anything that occurs during these you know tests and he said absolutely you're legally responsible everything you do um so you know as long as he said you know you're

authorized to test nobody's likely going to take it that far but I did want to understand what the potential impact could be um and so he did recommend that you get it signed by an officer the company because if you have a signed by say a security manager and the security manager is out to get other people in the company nobody knows about this and he didn't get the the proper approval from the sea levels you know that that can be uh uncomfortable Deni that access no because you have paperwork right so you you have an official signature on the engagement on the proposal and you have Master service agreements that kind of protect you and the company

so there's no you know plausible deniability but it's just whether or not just make sure that that person is get a comfort level that they're authorized to authorize

you so there was no the client didn't know so the client does doesn't know you you're talking about the

targets uh they had very specific so once so the policies and procedures as you're doing this you're testing the policies procedures and practices so that's what I test very specifically and in this particular case I was testing tailgating gaining access so in this particular case what I did is at about 455 you know tailgated my way into the organization and then from there you gather the data of what you find for the purpose of providing evidence of impact right because it's just the way it is it has to be a compelling event in order for them to take it seriously does that answer your question okay all right so at this point getting back to our case study so we know we

have this manufacturing client we've got one corporate one physical uh one phys one plant that we're going to execute some basic fundamental physical testing against um really there's some policies and procedures but not a whole lot um so you don't have anything very specific to work with um so it's kind of up to you what you think did we just lose the mic no mik check you so that's what we know now okay so we're not going to do any technical testing unless you know maybe we'll do some degree but now we actually have to start doing this right so this is a process in the preparation process now in Stephen's example he had um six

hours to do prep I recommend at least a minimum of a week and because a one week because you can't necessarily make all these phone calls you need to make and probe the organization in a 24-hour time period so you can't you can't call a help desk 20 times trying to get information within an hour you need to spread this out so as much time as you C you know you can allow one to two weeks uh maybe even three weeks depending on the scope of it will help you um so the next part of the project prep is to create your log templates so create just get an Excel spreadsheet um you know organize each of

the logs by the physical location and the phase of the approach so it would be you know corporate physical testing um make sure that you include you know date time phone number location person name and notes so that's the very very first thing you start with um before you do any other sort of reconnaissance or anything else so the next step is figure out your stick right so we have a midsize Manufacturing Company what what do you think is a good little r to use as you're visiting these locations any ideas I have two go-to oh sorry vend vendor yep any exactly I have two go-tos I barely ever deviate I remotely or sometimes locally I'm a systems person

it support something like that I customize the words you know depending on the organization the other one is the fire suppression vendor so you know safety and things like that that's just really easy um and that's what I would plan for this particular environment is to you know be the fire suppression vendor I'm coming in to count and check the fire extinguisher and sprinklers so tell me do you how how well do you think this will work for a Manufacturing Company any thoughts

good yeah that's been my experience usually the only thing possibly is a manufacturing company so safety first right they might be really really really into safety and they might really really know what actually occurs to you know for this type of protection they might know that no we don't do this we do do that we don't do that so that's the only risk about it but I I'm going to keep using that until um until it doesn't work anymore so the other thing if that doesn't work like Stephen had Illustrated you can call just do reconnaissance call up find out you know what vendor would work you know call the organization just cold call them and say

can you tell me who's responsible for your recycling or you know pick anything anything will work but definitely spend the time to call the organization and act as a salesperson and understand if they have existing processes um you know maybe go find a sales pitch from that vendor and execute that sales pitch to gather information um you know ask them how often they've checked their fire extinguishers or whatever you you need to do some degree of validation that your stick will work don't make it up you know make sure that you test it to some degree with the clients as you're in the preparation phase it's very easy to forget to log things I'm going to say this a hundred

times through make sure you log everything as you're doing reconnaissance log that you called on this date this time with this ruse um based on this vendor Etc if if you gather information from you know LinkedIn or Facebook or anywhere else Malo take screenshots during that time and and put them in a document make sure you keep all your logs but try to keep your screenshots in a single type of document based on the phase so initially your screenshot will be preparation or reconnaissance or whatever it is um

so and the other thing too is at the close of the project you will be asked very detailed questions so you know there's a scenario where a security guard didn't do their job they want to know the precise time that you were there people get fired over this stuff I I in general I try to avoid giving names I kind of pretend like I don't have them because I don't want people to get fired I feel bad but it's obviously um the as you're going along they will ask you very detailed questions and expect you to be able to produce that information on the spot so the next thing is prepare your toolkit right so you'll need potty knife

duct tape um screwdriver lots of extra badges if you can um prior to executing figure out what kind of badge system they have if there's pictures this that the other and and just go to Kinkos and make one um but you know if you start social engineering all the time it just becomes part of your normal life and then you end up collecting a whole bunch of badges because you know you can use them later uh clipboard everybody looks important with a clipboard make sure you carry one it's very true uh you can go get miscellaneous items from an army surplus store you can get some type of official looking Badges and things like that I stay away from that again because

it might give the appearance that you're impersonating law enforcement um but you can get like good security guard type stuff bring lots of rubber gloves lots and lots and lots keep them in EV stash them everywhere and I'll show you I'll tell you why that's important a little bit later uh plan your outfits for me in particular going back to why I choose to be a uh fire safety individual is because then I can wear khakis uh hiking boots t-shirt and a windbreaker normally I don't leave my house without heels right so for me it's a very uncomfortable place to figure out how to execute and something and just not wear heels but if I wear something like this

I'm gonna kill myself um so whatever your stick is make sure and guys maybe it's not appro applicable to you but it is to me it's I'm dress very differently for professional environment than I do social engineering uh and I just had a case recently where um I was doing work at a law firm so I wore a suit right so I always wanted to look like a lawyer so as you're doing this you're you're going to be there was one time where I just drove in straight from the airport right to the client's site and I was wearing heels and my bags and this that the other and I was just doing a little reconnaissance and I ended up

climbing up like seven flights of a fire escape and heels I was going to about to kill myself so you just have to be prepared you know physically you might there's no limit to what you might be doing you might be climbing up over through ceiling panels and things like that uh the other thing for Preparation is to prepare your vulnerability assessment toolkit so it has some tools where you can technically break in on you nothing extravagant just um at least some degree of testing or I'm sorry some degree of a assessment toolkit and the biggest part is put your game face on right so put your game face on be prepared for anything and then

test your story on your friends your family your loved ones whoever will listen go through it a couple times because you will be probed and it's very important to obviously be able to answer quickly and um you know in a in a very confident manner so one of the things what I do just to kind of keep my skills honed is I just social engineer all the time so for example the hotel here I just asked the the security guard downstairs I'm like do you guys require keys for all of your rooms or is it just the penthouse you know because I was in the higher floors and he said ' why do you need to

know that I was like I don't just curious he and then he ended up telling me same thing we went to Arlington Racetrack and these poor it dudes were running around fixing all the the bedding machines and I just got all the information I needed from them just through hanging out at the racetrack they were all thought I was cool because I was in security so at this point okay now we actually have to go do this right so where do we start what you know there's a lot to do here Where Do We Begin I'd recommend yes got it oh got it I would recommend starting with reconnaissance in the evening later in the evening not

505 um oh I'm sorry I skipped this so where do we start we have to figure out the goals and the objectives right that's most important part um ideally what your goals are are to test specific policies and procedures obtain physical access locate sensitive data for evidence um retain access you know that's what the duct tapes for in the putty knife so that you can slim jym and then duct tape the the door lock and don't get caught so ultimately that's what we're doing for every site that we visit so start with reconnaissance in the later evenings um just make note of any activity comings and goings cleaning crew Etc find the dumpsters you can usually um it's just easier to do

that kind of dumpster diving in the dark when people don't see you and wonder what you're doing and then as you're doing this initial reconnaissance if you see an opportunity take it you every opportunity that comes up you will likely only get it once you're going to want to plan several visits to each location um execute methodically so make sure that you're not sort of all over the place um maintain a consistent approach to each of the locations so if you're walking in with your RS as the fire vendor just try to follow the same process as much as you can um be prepared for anything again you never know when an opportunity will come

up um if physical access is obtained or to the network try to get admin rights but do it very quickly um nothing is more telling than some stranger sitting plugged into some random Network Jack you know running an assessment toolkit for like two hours try to get you know admin rights in like I don't know seven minutes or something like that uh log everything make sure you log every single solitary thing and be polite uh leave things intact don't do any damage don't let people know that you've been ruffling through their desk it's just not polite so here's a couple just examples I'm going to go through these pretty quick but um one this is kind of like

how it actually goes I was at a hospital and I was targeting the Executive offices and I walked up and the clean guy looked at me and said oh my god I've been looking at pictures of you for 10 years and I'm like I I have I I have no idea what's happening here and I'm like great and he's like do you know where you're going and I'm like that way and he's like yep right down the hall you know where it is and I'm like I have no freaking idea he thought I was the executive's daughter um so who who would have thought I mean you don't really know what's gonna happen oh this is the okay so this is a

good one um again this was a hospital I think and I got busted in a bad way from a security guard we were in a place we should not have been there's absolutely no possible way that any public person should be making their way to this location and the the security guard followed us downstairs we're running down the stairs and finally we got to the end and we just like hid behind the stairwell and she's like what are you doing and I'm like and I had nothing I mean I had nothing so I just cried seriously if you have nothing else sorry guys but it works for me and I'm like I I just need a minute please and

she's like all right get out of here take your minute somewhere else this was another funny story I was on the floor of an exchange in Chicago a trading exchange I'm I'm I have all these papers I'm like ruffling around it's like 8 o'clock at night The Exchange is closed Nobody's around and the security guard's like what's up how you doing and I'm like are you kidding me so I'm standing here talking to him like this I've got stuff hidden behind my back and he's just like oh so you're in support it yeah how do you like it and I'm like I can't believe I'm sitting here and this guy is like praying you know being

social with me while he should be telling me to get the hell out so here's a couple other quick examples uh this one there no I seriously was hiding this was a a state a agency I was hiding behind a file cabinet and it turned out the state treasurer was coming and going it was after hours but somebody kept coming and going while I was digging through and it was a small area but I did it so be prepared for anything uh this was a good little scenario I don't know if you guys can see this but there's actually a roach here I was in digging through the recycling and the lights were off I was

hiding in the closet and I'm just digging I found some great stuff and then the bank closed and everyone left I open the closet and I look and the there in the bin I'm digging in is like this big old dead roach it's disgusting bring gloves everywhere all right so I'm GNA move on to reporting now so we finished the testing right so we we showed as you saw in the last couple examples you have no idea where this is going to go so remember I talked about logging everything log everything log everything well guess what do you think I logged everything probably not because I was hiding behind a file cabinet it's kind of hard to take notes

it's very difficult when you're executing to actually log everything if you can keep a voice recorder but at this point okay I've got I've penetrated 10 million different ways I've got tons of pictures I've got you know a lot of different paths that I took to get in all these different things that I've got all of this information um I may or may not have downloaded and organized all my pictures every night I'm pretty sure I didn't get that security guard's name so at this point I just have a huge hangover and I'm like it's probably easier just to not get off the couch but it's not that bad it's really not so what I do is you start writing up

the anatomy of an attack and that sort of just gets your mind working and you outline in the reporting section okay this was step one this was step two just tell your story as you're telling your story then you can um piece together all of your evidence and your data and get it organized and it'll just get your head in the game and then I create my deliverables based on ISO so every single solitary finding I have is based on some type of a published industry standard you know I'm not just making stuff up saying you should teach your end users it's all very structured and organized and professional so here's what it looks like I don't

know how well you guys can see but I just wanted to show you what it looked like secure areas I so 270002 with a description of that section you know I talk about the assessment methodology and then under the typical targets um I would actually list the findings and then this is what the anatomy of an attack looks like um just kind of you know you outline the step by step there's really no way to void using a lot of words but when you're taking pictures this is why it's very important to take pictures every single solitary step of the way so that you can outline the anatomy of an attack uh this is another one where I

actually gained access to the it systems building and I was able to I told them I was testing the wireless I was able to just hurry up plug in sniff the traffic get their domain um you know just do some quick information gathering on the domain gather all the servers ran a quick test to see Intruder lockout Intruder lockout was set to five sweet I just did you know a a you know password test on two or three different you know blank or or default or something like that and I was able to get DNE admin rights but that was like five minutes that's how much time I spent doing that all right and that's me and this is

just for the record my mock infos jobs link that I just added real quick Len thank you any questions comments thoughts how many people actually in the room will are hoping to at some point in the future do social engineering authorized for money no yeah so so let me did have you actually done them before so did you find this helpful

okay yeah it's it's a lot of fun but it is a lot of work and you know one thing I just want to stress very strongly if you don't stay organized and collect data every single step of the way you can get yourself into trouble um and you know have some difficulty actually presenting the

findings that's true I and I want actually I wanted to I have a lot more to say I could probably write a book on this but I had more slides on how to present the material um you know how to actually deliver the findings to to the same people that you looked in the eye and tricked it's very difficult and challenging so maybe I'll do that for my next one

sure I mean with any Consulting engagement usually we try to um it depends on the scenario the scoping and things like that I've done them by myself and that's fine but it's a little bit harder you know it's much better to have a team but usually two I've never done it with more than two although that's not true I did do pre- texting in a room with the client where there was five of the client and one of me that was fun

yes well ISO I I just did the work so IO you have to pay for I just went and looked everything up that would apply to social engineering and phys physical security um and then we initially it's sometimes with these engagements we would do a physical security check and somebody else had a physical checklist of things to look at um but I just I just did it I don't know what to say I read yeah anyone else well thank you guys

Related talks

43:45
Critical Security Controls for Effective Cyber Defense
BSides Detroit
45:19
Attacking Apache Reverse Proxy
BSides Detroit
25:28
If You Can Open The Terminal, You Can Capture The Flag: CTF For Everyone
BSides Detroit
50:00
Intro to Linux System Hardening and Applying it to Your Pentest System
BSides Detroit
57:32
Penetration Testing: What They Don't Teach You In School
BSides Detroit
33:38
Hack the Hustle!
BSides Detroit