Social engineering exercise

TheFORCE

I will need to kick off the social engineering exercise in a few weeks. Any ideas on good topics to go after?

Danielm7

Are you trying to educate people? Are you trying to social engineer them? Both? Are there limitations? Like phishing, USB key drops or stealing things? Need some detail on the goals.

Queue

Unauthorized access?

Dress up as Telecom worker, have secretary let you in data center/ try tailgating. See if they call. If not going into data center and prove that you gained access to the core. Physical security is not so much considered.

Go around to satellite offices and see how many workers lead you to the closet and let you in. Get on internal network.

SteveLavoie

I am in consulting, you could be surprised how far you can go if being well-dressed and polite. I don't count the number of time that only dropping a boss name, and asking to go to the server room, they will lead you to the server room, and open the door and leave you there alone for many hour without asking anything else.

USB key drive dropping is very effective too. I did it in one of my last pentest. Very effective and fast:) 7h AM, dropped the key, 8h20, root shell

tedjames

SANS has some good reference material:

https://www.sans.org/reading-room/whitepapers/engineering

the_Grinch

If they have a corporate office try telling them you are from corporate to work on the servers. Amazing how quickly people will jump and adds to a fear of calling someone at corporate only to be scolded for holding the person up.

As for a usb key drop, get a drive you can write on and put "layoffs" or "exec comp". Those will be plugged in quicker than you can say "hacked".

Obviously make sure you have permission and a company contact in the event you get called out on who you are.

p@r0tuXus

I've known a couple companies that were paying for the tests to give the tester cards that they could give to any employee that catches them and prevents unauthorized access which was kind of like a kudos or reward of some kind. I don't remember the exact exchange for those but I remember the executive mentioning gift-cards.

TheFORCE

We are trying to social engineer a small portion of our users. This will be a small engagement and will only involve phone calls and emails. So i need some good topic that will act as a click bait to enter information.

p@r0tuXus

Localized event information always gets the average user. For an organization I was with, they would send out emails with offers for free local sporting events or surveys on webinars, company events and new local business advertisements. Things people would likely see.

cyberguypr

Please, no matter what you do DO NOT impersonate any legitimate company, agency, etc. Repercussions can be serious. I've seen this go wrong way too many times.

TheFORCE

cyberguypr wrote: »

Please, no matter what you do DO NOT impersonate any legitimate company, agency, etc. Repercussions can be serious. I've seen this go wrong way too many times.

Good point. Last thing we want is people to go to their dunkin dounghts and ask for free stuff because they "won" it.

TechGromit

Where I work you wouldn't never get passed the first gate. You would have to be at least a contractor to get into any of our buildings.

ratbuddy

SteveLavoie wrote: »

USB key drive dropping is very effective too. I did it in one of my last pentest. Very effective and fast:) 7h AM, dropped the key, 8h20, root shell

Idle curiosity, what payload do you use?

ElGato127

That sounds like fun. You almost have to think like an April Fool prank, don't you?

Danielm7

If you're targeting a small group of users, pick something that applies specifically to them. If it's HR folks pick something that they're interested in. I always used to get high response rates to ones that look like their corp email quota was almost full and to click a link to fix it, request more, etc. Something that demands some kind of call to action.

As for the USB drops, people plugged in a few that I left around the lot / building. But, the ones that I left directly on someone's desk all got plugged in, most of them were tried over and over.

wastedtime

Maybe if you setup a website and get an OAuth client ID and mail out request saying click this link for your google doc. Make sure the link gives access to their gmail and contact list. When they click that link make sure it reads their contact list and mails each of them from their account.

In all seriousness though the stuff that went on in the last 48 hours with google OAuth would be a good topic.

p@r0tuXus

Went to a discourse with Kevin Mitnick last night in KC, while being a pretty good public speaker, he went over some things he normally does in a pentest/social engineering exercise and talked about this specifically. He mentioned he'll look into the company and find some of their vendors and then email the company a USB with the logo of their vendor on it and it always works where they'll go in and load it, format it... then about 45-60 minutes later the payload remotely downloads malware and he has a shell on the machine. It was a great talk and his business cards were lock-pick sets. Great time.

dontstop

Try obtain free pizza. That's a double win in my books.

tedjames

Johnny Long's No Tech Hacking may give you some ideas:

https://www.amazon.com/No-Tech-Hacking-Engineering-Dumpster/dp/1597492159/ref=sr_1_1?ie=UTF8&qid=1494079225&sr=8-1&keywords=no+tech+hacking

TechGromit

TheFORCE wrote: »

I will need to kick off the social engineering exercise in a few weeks. Any ideas on good topics to go after?

You mean just for practice purposes? If your consulting for a company and this is part of testing there security is one thing, but to "practice" it on a company without permission is quite another. If you get arrested as a consultant doing social engineering when working for a company, a call to the right people can clear matters up and get you released without charges. If your doing it for fun or practice, are you prepared to get arrested and possible charged? What you going to tell the judge, I'm really not a criminal, I do this for a living?

TheFORCE

TechGromit wrote: »

You mean just for practice purposes? If your consulting for a company and this is part of testing there security is one thing, but to "practice" it on a company without permission is quite another. If you get arrested as a consultant doing social engineering when working for a company, a call to the right people can clear matters up and get you released without charges. If your doing it for fun or practice, are you prepared to get arrested and possible charged? What you going to tell the judge, I'm really not a criminal, I do this for a living?

This is an approved exercise. I'm one of the team members involved. We do this every year as part of user training and to assess if the awareness training is working.

shimasensei

This will be fun!

Starters: Phishing (inc. spear phishing), vishing, infected USB drive drops, etc.
Advanced: Employee/contractor impersonation (can include tailgaiting and dumpster diving), auditing network access vulnerabilities in HQ/branches' publicly accessible areas, etc.