Ready to Start Your Career?
July 28, 2015
Methodology of information gathering and testing in social engineering
July 28, 2015
Obtaining information for social engineering, or from the target organization knowingly made unwitting available.As with anything should first be taken ethical considerations into account.To answer the question of whether the use of social engineering techniques as part of a penetration testing is acceptable , should first be shown why social engineering ever successful:The techniques work because all people certain features or character have weaknesses that may be exploited. These include extremely positive properties as the tendency to pleasantries, moral sense of duty and willingness to help, but also less positive characteristics such as opportunism and the reluctance to accept responsibility.As usually, among others, on the client's employees directly influence is exercised in the use of social engineering techniques to their reliability and their safety awareness to check, this could cause discomfort to those affected. This could be all the more the case when social engineering techniques are carried out without notice and "resolved".The use of social engineering should therefore be considered very carefully. The tester has the authority in every case on the possible consequences from social engineering enlighten and outline that this technology without prior user training most likely successful will be rich, and that it then may result negative impact on the employees.1. Information Gathering for Social EngineeringTest steps:Analysis of the information on the website of the target organizationAnalysis of information from print media or databasesSearch newsgroups for email addresses of employees and Applications of the target organization that published in postingsRequirements:Company name or name of the institutionExpected Results:Identification of the relevant departmentsList of persons working in the relevant departments Name, function descriptions, e-mail addresses of potential targetsOrganization charts of the target organization with the various hierarchical levels and management positions (department heads, etc.)Structure of e- mail addresses, internal mailing lists and typical sender of internal mailings2. Information Gathering for computer based Social EngineeringTest steps:Analysis of the target organization 's website for information on used operating systems and applicationsResearch by Job of the organization in terms inserted IT systemsResearch in support forums for postings of employees of the target organizationIdentification of the mail programs of the target organization / employees based on the headerRequirements:Information on departments / people / organization, etc.Expected Results:List of IT systems and IT applications in the various departments be used3. Information Gathering for personal Social EngineeringTest steps:Analysis of the contact information on the website of the target organizationAnalysis of contact and customer information from print media or databasesObservation of the building of the target organizationIdentification of service companies through telephone inquiriesRequirements:Information on departments / people / organization, etc.Expected Results:Listing of service companies , which are active for the target organizationList of important customers of the target organizationInformation on the location of the various departments within the building.Methods1. Computer based social engineeringAn attempt is made to take on a person influence to using appropriate computer technology Manipulation techniques, e.g. by exploiting by curiosity or helpfulness, system rights to obtain.Test steps:Contacting the target person via emailTarget people deceive and to install special programs for example KeyloggerTarget person by fake system messages for inputs from prompt user name and passwordRequirements:Information about target systems, applications and persons.Expected Results:Access to the network or systems of organizationList of system and application passwordsRisk:The attack could be noted as such and trigger irritation among the target person.The specific programs could interfere with the operation.2. Direct, personal social engineering with physical accessAn attempt is made by direct contact with a person (eg., by visiting ) that a privileged knowledge has to gain access to confidential information . In this case, for example attempts under pretense of a relationship of trust, the respondent to disclose information to move.Test steps:Personal contact with the target person (for example as a service technician, new employees, etc.)Pretense of a relationship of trust to the respondent to move publication of information (for example the publication of a Key or disclosure of passwords)Requirements:Information about target systems, applications and persons.Expected Results:Relevant information such as passwords, system configurations, etc.Risk:The attack could be noted as such and trigger irritation among the target person. If it comes to the publicationof relevant information, could this circumstance after the penetration testing is dissolved and the subject is their misconduct is aware of thestrain relationship between the target person and target organization, especially when it comes to taking aemployee of the target organization.3. Indirect, personal social engineering without physical accessAn attempt is made through telephonic contact to a person who is a privileged knowledge has, to explore secrets. An attempt is made, for example, under pretense of relationshipof trust to move the target person into divulging information.When the target person can it is about employeeThe organization or other insider act. In this connection becomes the naivety the employee the target organization and their need involved and helpful to his utilized.Test steps:Contacting the target person by phone or e -mailPretense of a relationship of trust to the respondent to move publication of information (eg. issue as administrator, employee, remote supervisor etc.)Requirements:Information about target systems, applications and persons.Expected Results:Relevant information such as passwords, system configurations, etc.Risk:The attack could be noted as such and trigger irritation among the target person. If it comes to the publication of relevant information, could this circumstance after the penetration testing is dissolved and the subject is their misconduct is aware of the strain relationship between the target person and target organization.(Especially when it comes to taking a Employees of the target organization is)