ECSA/ LPT
EC
Council
Mod le XXVI
EC
-
Council
Mod
u
le XXVI
Social Engineering
Ptti Tti
P
ene
t
ra
ti
on
T
es
ti
ng
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Fi ll
Router and
Internal

Fi
rewa
ll
Penetration Testing
Router

and

Switches
Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g
Penetration Testing
Penetration Testin
g
Penetration Testing Roadmap

(cont
’
d)
(cont d)
Cont’d
Physical
Si
Database
Pii
VoIP
PiTi
S
ecur
i
t
y
Penetration Testing
P
enetrat

i
on test
i
ng
P
enetrat
i
on
T
est
i
n
g
Vi d
Vi
rus an
d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held

Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security
Penetration Testin
g
Security
Patches
Data Leakage
Penetration Testing
End Here
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
What is Social Engineering?
The term social engineering is used to describe the various tricks used
to fool people (employees, business partners, or customers) into
voluntarily giving away information that would not normally be known
to the general public.
Examples:

• Names and contact information for key personnel
• System user IDs and passwords
• Proprietary operating procedures
Ct fil
•
C
us
t
omer

pro
fil
es
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Requirements of Social
Engineering
Engineering
Be patient when you make several phone calls to a person to
gather sensitive information.
A
ppear to be confident so that people will believe you.
Develop trust of the target person by using mirror techniques.
Have knowledge while gathering the details of an person to whom
you are contacting at a company.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps in Conducting Social

Engineering Penetration Test
Engineering Penetration Test
1
• Attempt social engineering techniques using phone
2
• Attempt social engineering by vishing
3
• Attempt social engineering by telephone
4
•
A
ttempt social engineering using email
5
• Attempt social engineering by using traditional mail
il i i i
6
•
A
ttempt soc
i
a
l
eng
i
neer
i
ng
i
n person
7

• Attempt social engineering by dumpster diving
Iid li
8
•
I
ns
id
er

accomp
li
ce
9
• Attempt social engineering by shoulder surfing
•
Attempt social engineering by desktop information
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
10
•
Attempt social engineering by desktop information
Steps in Conducting Social
Engineering Penetration Test (cont
’
d)
Engineering Penetration Test (cont d)
11
• Attempt social engineering by extortion and blackmail
12

• Attempt social engineering using websites
13
• Attempt identity theft and phishing attacks
14
• Try to obtain satellite imagery and building blue prints
15
• Try to obtain the details of an employee from social networks sites
16
• Use a telephone monitoring device to capture conversation
17
• Use video recording tools to capture images
18
• Use vehicle/asset tracking system to monitor motor vehicles
19
• Identify “disgruntled employees” and engage in conversation to extract sensitive information
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
20
• Document everything
Before you Start
Print business cards of a bo
g
us com
p
an
y
gpy
Make sure you have email ID printed on your business card, e.g
j

downes
@
insuranceusa.com
j@
Buy clothes that are need for the social engineering attacks, e.g fireman
uniform
Print bogus ID cards
Setup a bogus website for the company you represent
Register a new number for your mobile phone that will be used in the
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Register a new number for your mobile phone that will be used in the
social engineering attack
Dress Like a Businessman
Dress like a businessman; wear a tie and a
e pensi e s it
e
x
pensi
v
e s
u
it
Carry a briefcase
Your attire should command great respect
You are judged by how good you look
Wear glasses to look more intelligent
EC-Council
Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Attempt Social Engineering
Techniques Using Phone
Techniques Using Phone
Call the company’s help desk and ask for sensitive information
Call the receptionist, engage in conversation and extract various contact details of the company
Make it look realistic – rehearse many times before you make the call
Have backup answers for every question you throw at the target person
Record the conversation – reporting purposes
“Hi, this is Jason, the VP of sales. I'm at the New York branch today and I can't remember my password. The machine in my home office
has that 'Remember password' set, so it's been months since I actually had to enter it. Can you tell me what it is, or reset it or
something? I really need to access this month's sales reports ASAP."
"Hi, this is Joanna at the Boston branch. I'm the new LAN administrator and my boss wants this done before he gets back from London.
Do you know how I can:
Do you know how I can:
Configure our firewall to have the same policies as corporate?
Download the latest DNS entries from the corporate DNS server to our local server?
Run a transaction on a remote file and print server using a Shell command?
Back up the database to our off-site disaster recovery location?
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locate the IP address of the main DNS server?
Set up a backup dial-up connection to the corporate LAN?
Connect this new network segment to the corporate intranet?"
Step 2: Attempt Social
Engineering by Vishing
Engineering by Vishing
Use the vishing technique and pose as an employee of legitimate
i

enterpr
i
se

Trick the users and gather their personal sensitive information
Trick the users and gather their personal sensitive information
Look for the following:
• Payment card information
•PIN
(
Personal Identification Number
)
Look for the following:
()
• Social insurance number
• Date of birth
• Bank account numbers
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Passport number
Step 3: Attempt Social
Engineering by Telephone
Engineering by Telephone
Three common techniques to perform
• Pose like a disgruntled customer.
At l i hl
social engineering using telephone are:
•
A

c
t
as

a
l
ogg
i
ng
h
e
l
per.
• Appear as a technical support member.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Attempt Social
Engineering Using Email
Engineering Using Email
Create a webpage that spoofs the
company’s identity
Send an email to someone in the
company to visit
http://x.x.x.x/login.asp
? And ask
http://x.x.x.x/login.asp
? And ask
them to re-login to activate the
server upgrade

Make the email look legitimate and
real (company fonts, colors, logo,
etc.)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Attempt Social
Engineering Using Email (cont
’
d)
Engineering Using Email (cont d)
Send sweepstake (like lottery, gifts) information to users and ask them
t id th i il ID d d dd th h li
t
o

prov
id
e
th
e
i
r

name,

ema
il ID
,


passwor
d
,

an
d
a
dd
ress
th
roug
h
on
li
ne

form
Another way to obtain information online is by sending mails to users
and requesting them to provide password by posing yourself as a
network administrator
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Attempt Social
Engineering Using Email (cont
’
d)
Engineering Using Email (cont d)
"You have been specially selected "
"You have won "

"$h"
"
A new car! A trip to Hawaii!
$
2,500 in cas
h
!
"

"Yours, absolutely free! Take a look at our "
"Your special claim number lets you "
"All i h dli ”
"All
you

pay
i
s

postage,
h
an
dli
ng,

taxes


”
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoof: Screenshot 1
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoof: Screenshot 2
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoof: Screenshot 3
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Attempt Social Engineering
by Using Traditional Mail
by Using Traditional Mail
Send “snail” mail letters to selected employees of the target company
Example:
Make the letter look real so that people fall for the scam
• Congratulations, you've been preapproved for a holiday to
London (all expenses paid). To claim your gift, please complete
the enclosed circulation survey and return it to us at Green Apple
Example:
the enclosed circulation survey and return it to us at Green Apple
Travel Services.
• If you accept this offer by 3/4/2004, we will also send you a
complementary American Express leather wallet.
Email
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example
Fake prize letter offering holiday
Fake prize letter offering holiday
trip in exchange for survey
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Attempt Social
Engineering in Person
Engineering in Person
V
isit the
p
h
y
sical facilit
y
and attem
p
t social en
g
ineerin
g
techni
q
ues
pyypggq
Rehearse what you are going to say

kih l
Dress appropriately – for example if you are going to spoof as fireman
then you better wear those uniforms and speak like them
• Sensitive information.
•
Contact information.
As
k
quest
i
ons t
h
at revea
l
:
Contact information.
• Company policies.
• IT infrastructure.
• Invite the party for a drink or coffee and continue social engineering
techniques at a coffee table
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
techniques at a coffee table
.
• Establish trust.
Example
"Hi I' J h B I' ith th t l dit A th S d
"Hi
,

I'
m
J
o
h
n
B
rown.
I'
m

w
ith th
e

ex
t
erna
l
au
dit
ors
A
r
th
ur
S
an
d
erson.


We've been told by corporate to do a surprise inspection of your
disaster recovery procedures. Your department has 10 minutes to
show me how you would recover from a website crash
"
show me how you would recover from a website crash
.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example
"Hi, I'm Sharon, I'm a sales rep out of the New
York office. I know this is short notice, but I

have a group of perspective clients out in the
car that I've been trying for months to get to
outsource their security training needs to us
outsource their security training needs to us
.

They're located just a few miles away and I
think that if I can give them a quick tour of
our facilities it should be enough to push
our facilities
,
it should be enough to push
them over the edge and get them to sign up.
Oh yeah, they are particularly interested in
what security precautions we
'

ve adopted
what security precautions we ve adopted
.

Seems someone hacked into their website a
while back, which is one of the reasons
the
y
're considerin
g
our com
p
an
y
."
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ygpy
Example
"
Hi I
'
m with Aircon Express Services We
Hi
,
I m with Aircon Express Services
.
We
received a call that the computer room was

getting too warm and need to check your
H
VAC s
y
stem." Usin
g

p
ro
f
essional-
ygpf
sounding terms like HVAC (Heating,
Ventilation, and Air Conditioning) may
add just enough credibility to an intruder's
masquerade to allow him or her to gain

access to the targeted secured resource.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Attempt Social
Engineering by Dumpster Diving
Engineering by Dumpster Diving
The term
dumpster diving
is used to describe searching disposal areas
The term
dumpster diving
is used to describe searching disposal areas

for information that has not been properly destroyed.
M i ti tili h t l f th d
M
any

organ
i
za
ti
ons

u
tili
ze
h
o
t
e
l
con
f
erence

rooms

or

o
th
er


unsecure
d
facilities to conduct brainstorming sessions.
Once the session is complete, no one considers wiping down the
whiteboards used to record the output of the meeting.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited