Embed Size (px)
DESCRIPTION
Presentation by Yvette du Toit to the University Of Pretoria's honors class of 2011. This presentation is about penetration testing and social engineering. A walkthrough of a social engineering attack is given in this presentation
Citation preview
What will we do today?
• Penetra1on Tes1ng discussion – Types of services
• Social Engineering – Real-‐life examples
• Non-‐tech view – Dark side?
• Interac1ve
Penetra1on Tes1ng
• What? – Rude word…… – What do you think?
Breakdown
• Build Review • Infrastructure • Applica1on • Code Review • Reverse Engineering • MVS (PCI, Int, Ext etc)
• WLAN • Database • AD
Ops J
• Client discussions • Proposal • Acceptance / PO • Rest of paperwork (SOW et al)
• Resources / Schedule • Delivery
• Report • Invoice
Oops L
• What can go wrong? – DoS – Wrong scope – Mis-‐match resources – Dissa1sfied clients – Non-‐payment
Social Engineering
(SE)
• Art of decep1on? – Manipula1on – Disclosure
• What do you see as SE? – Examples
SE: Anatomy
• Agree scope – What is in? – What is out? MAKE THIS VERY CLEAR
• Reconnaissance – Onsite – Web – News
SE: Anatomy Cont’d
• Plan based on reconnaissance – Approximate idea of execu1on – Poten1al back-‐up plans of delivery failure – Changing course based on scenario
SE: Characteris1cs
& Tools CHARACTERISTICS
• Guts • Keep calm • Think on your feet • Change tac1cs whilst keeping your wits about you
TOOLS
• Internet • Google Earth • Charm • Manners • Gadgets (phone, camera)
SE: Outcome / Results
• Report • Evidence (MOST IMPORTANT)
SE: Example
• Crea1ng a fake email account with a real person’s name.
• Ellen belongs to a company loosely affiliated with the target.
SE: Example Cont’d
• Sending an email from “Ellen” to many hundreds of employees of the target company.
• The email contents is based on a real event that the target company held (gleaned from their news website).
• The email encourages people to visit a website, which appears to be legi1mate.
SE: Example Cont’d
• The website is a duplicate of the target
company website, with a few minor modifica1ons to go along with the farcical story from the email.
• The page a]empts to run a Java applet (next slide).
SE: Example Cont’d
• Should the user click yes to running the
applet from the site, some hos1le Java will execute which will compromise the machine, and give the a]acker full control (as in next slide)
SE: Example Cont’d
• Pwnd ;) • Logs of people visi1ng the site
SE: Example Cont’d
• Oddly enough, a real employee (Fred) replied to the a]acker with real comments about the site.
• This was useful as it gave us his name / email signature etc. which could be used to create another fake email account abusing his informa1on.
SE: Example Cont’d
Crea1ng a fake account for target company employee Fred
SE: Example Cont’d
• The en1re email is forged from Fred, but it appears as though he is forwarding on an email – which is made to look like it came from a real employee.
• Here we abuse the chain of trust. • The email encourages users to go to a
Microsob website to download an urgent update
SE: Example Cont’d
• The a]acker has downloaded a real MS update, but sneakily inserted some hos1le code (The “hot” file).
• This is hosted on a fake MS website (next slide)
SE: Example Cont’d
Looks legit? Almost too good to be true.
SE: Example Cont’d
• Here we see a user downloading and
running the file-‐ the result of which his AV being killed, a screenshot of his desktop being taken, and full control of his machine given to the a]acker.
• Game over.
Ques1ons
