< Day Day Up > |
What results might you seek to achieve with social engineering, whether in a real attack or in penetration testing? Useful information for obtaining access or for testing can be grouped into the following categories:
7.2.1 Active and Passive AttacksFor the purpose of this chapter, we divide social engineering attacks into active and passive . Active probes directly interact with the target and elicit its response, whereas passive attacks acquire information with stealth. Active social engineering involves interaction with target personnel in order to obtain security-relevant information, gain access privileges, or persuade someone to commit a policy violation or act as a proxy on the attacker's behalf. In contrast, passive attacks include eavesdropping and observation and subsequent analysis of the results. Passive attacks often seek to acquire seed information with which to launch further active social engineering or network-based physical attacks. It is also important to note that intelligence gathering in the form of passive social engineering and surveying open source intelligence is crucial for preparing a social engineering attack or test. People are much richer systems than computers. Thus, the process of "reading the manual" is more complicated when studying humans . Active attacks elicit the required response through basic human emotions. The following are some methods for a successful attack:
Combination attacks (such as intimidation and impersonation) can be much more effective than individual attacks. Note also that not all of the tactics are applicable to every possible goal of social engineering. For example, it is unlikely that anybody ever obtained a password with a flattery attack. The social engineer may consider the three positions in Table 7-1 before launching an attack. Table 7-1. The attacker/target relationship
Depending upon the circumstances and personal preference, the attacker might play a helpless victim, if intelligence gathering indicates that this approach will be effective. On the other hand, an angry boss position of superiority works wonders sometimes. Finally, claiming to be an equal or a friend often yields results when the first approaches fail. Let's examine some sample attacks using the positions and methods outlined above. 7.2.1.1 Sample 1: ImpersonationThe attacker pretends to be a mailman in order to obtain access to a company facility. In this case, the attacker places himself in a lateral position, using just an impersonation technique to get privileged physical access. 7.2.1.2 Sample 2: Impersonation and authorityThe attacker pretends to be a system administrator's superior and calls the sysadmin for a password. This method is more effective in a large organization, where many layers of hierarchy exist and people might not know their boss's boss. While this attack might sound easy, success depends on the attacker's knowledge of how to approach the victim in a convincing manner, as well as flexible conversation skills. 7.2.1.3 Sample 3: BlackmailInformation gained in the past can be leveraged for access to more information via blackmail. If this word smacks of bad crime novels , you may prefer the modernized "leveraging acquired information assets to gain further ground" instead. This definition emphasizes this technique's need for careful research, so that the attack may be optimized using knowledge of the victim's past transgressions. 7.2.1.4 Sample 4: SympathyThe attacker asks for advice or guidance from an employee. Running this one requires the attacker to "genuinely" sympathize and requires some acting skills. 7.2.2 Preparing for an AttackTo pick roles for impersonation during the social engineering attack, consider the following list. On the defense side, be prepared for anybody initiating communication with you to use one of these tactics. We do not advise complete paranoia ”just a healthy helping of it. This list illustrates the thinking patterns of potential attackers , who might select a circuitous route to the goal ”one that may not be on the radar screen of the defending party.
In a social engineering attack exercise, you can select from these roles, depending upon your goals. Let us now turn to possible communication channels for the attack. Social engineering attacks can be conducted through various communication media, including the phone, mail, email, the Web, instant messaging or chat (IRC), or a mailing list or discussion forum. They can also take place in person. The following are some examples of attacks using the above media:
Target selection is often based on initial information gathering and the possible roles we've mentioned. Common targets of social engineering attacks include help desk, tech support, and reception personnel. This list is by no means comprehensive, but these positions are consistently vulnerable to wetware attacks. The attack comes after an initial sweep for information via public sources (i.e., passive social engineering or technology-based attacks such as network surveying). The methods we've described are combined with various communication media, using a social engineering action plan , or "toolkit." The action plan involves maneuvers based on the chosen target, along with any supporting information, followed by a determination of the sequence of attacks to try. It is a simplified framework for creating social engineering attacks. Table 7-2 gives a summary of sources that can be used as part of an initial sweep and information-gathering mission. Table 7-2. Information gathering sources and methods
7.2.3 Social Engineering Action PlanA social engineering action plan welds the social engineering attack components into one truculent blade . These are the steps of a planned social engineering attack:
Several of the steps in the action plan need additional clarification . For example, how does the attacker choose the best individual to target? While we are attempting to define social engineering attacks in terms of technology, the social engineer still relies heavily on experience and intuition. The final choices will likely be made on a hunch. In many scenarios, several unrelated targets are pursued, in order to "converge" on the desired information. The following example is based on our action plan.
The action plan is flexible and does not need to be followed verbatim. Rather, it is merely a framework on which to build audits . Documentation is essential for reports on penetration testing and in order to evaluate the vulnerability of the company to social engineering attacks. In fact, accurate documentation is of even greater value for these tests than it is for technology-based tests, since the course of action must be constantly adjusted in a social engineering attack. People are more complex than computer systems. Some additional tips:
7.2.4 Social Engineering Information Collection TemplateIf you are conducting social engineering attacks in the context of legitimate penetration testing (the only way we recommend doing it), here is a template for optimizing information collection. This template outlines the documentation of information collected in social engineering attacks. It focuses on three areas: the company, its people, and its equipment (including computer systems). Company ----------------------- Company Name Company Address Company Telephone Company Fax Company Web Page Products and Services Primary Contacts Departments and Responsibilities Company Facilities Location Company History Partners Resellers Company Regulations Company Infosecurity Policy Company Traditions Company Job Postings Temporary Employment Availability /* get a job there and hack from inside */ Typical IT threats People -------------------------- Employee Information Employee Names and Positions Employee Places in Hierarchy Employee Personal Pages Employee Best Contact Methods Employee Hobbies Employee Internet Traces (Usenet, Forums) Employee Opinions Expressed Employee Friends and Relatives Employee History (Including Work History) Employee Character Traits Employee Values and Priorities Employee Social Habits Employee Speech and Speaking Patterns Employee Gestures and Manners /* used for creating and deepening "connection" during social interaction */ Employee Login Credentials (Username, Password) for Various Systems Equipment ------------------------ Equipment Used Servers, Number and Type Workstations, Number and Type Software Used (with Versions) Hostnames Used Network Topology Anti-virus Capabilities Network Protection Facilities Used (with Software Versions) Remote Access Facilities Used (Including Dial-up) Routers Used (with Software Versions) Physical Access Control Technology Used Location of Trash Disposal Facilities |
< Day Day Up > |