hello and welcome to another penetration. Testing, execution Standard discussion. Today we're getting into part two of define acceptable social engineering pretexts and picking up where we left off. Our objectives are discussed. Types of social engineering attacks we had tailgating left.
We're going to discuss permission to test language and discuss the social engineering tool kit.
So with that in mind, let's go ahead and jump right in. The last type of attack that we're going to talk about really is not technical
in nature, and it's more of a physical testing attempt. So versus trying to get access to a system or network through remote means whatever the case may be. This is where the attacker seeks to enter restricted areas by posing as an employee and taking advantage really of good will.
And so this comes from folks holding the door open or the attacker acting is that they misplaced the badge.
Maybe I've got similar clothing colors. Maybe I'm working on
trying to just kind of walk in behind employees as they're going out from the smoke area into the building. Or maybe they're coming back from lunch, and I kind of try to tuck into the crowd and walk through and then see how far I can get within the organization again. All of this needs to take into account the permissions that are provided
what is and is not within scope. And what is it exactly that that deems this type of attack or this type of test
So let's go ahead and look at permission to test language considerations.
So again, anything that we do,
where their physical testing or whatever the case may be,
needs toe have language to support it. And so the letter provided in that test memo should include specific time and date ranges for testing. So if the client doesn't want testing done after hours, if there's only certain days that they want testing done because that's when the particular
persons of interest are there,
Um, then you know you want to pay attention to that and asked that you also want this to be just as specific as any other tests. Word includes i P addresses databases. Whatever the cases maybe is you want email addresses and names of potential targets in the letter,
and the reason for that is
is let's say that the individual the client gives you permission to do a mass mailer to the organization and they don't exclude any parties to that test. They just say, you know, you have permission to, um, send out a mass email that, you know, maybe you provided template and they approve it.
You send it out to everybody, and then the CEO of the company falls for the attack and is, you know, embarrassed. It happens. It's not
uncommon. Um, but now that CEO is coming down on the party that approved the initial testing of maybe the infrastructure and things of that nature, and now this causes some discourse, and the CEO is now angry with your firm. It's just best to ensure
that the targets that they want to have tested, they have permission to test
and that if something is successful or that target becomes concerned or has issues, it doesn't cause undue harm, er or anything of that nature in the organization.
Now the letter should also, especially in physical pen testing and social engineering. Attempts should include language on limitations, and so
that would include things that you can do that you should not do, and you have again a responsibility to understand that. Are we going again with tailgating? Do we want to do baiting? Am I going to try some elaborate pretexting type scenario
and that all comes back to What is the client up for? As far as costs time, What are they hoping to achieve? So that all has to be taken into consideration
Scenario? Limitations are also big. Can I pose as a police officer, which could be dangerous dependent home for you Do that. Can I pose as a delivery person? Can I pose as a member of I t from your partner organization? Um,
you know, can I get angry? Can I get a little stern with somebody? Acting is a figure of authority from out of town.
You know, whatever the case may be, that needs to be discussed here because, you know, if they say, yeah, do whatever you think you should do to get in there. And then suddenly you come into the office
wearing a power suit, and, um, you know, you're talking to the receptionist, and she's, you know, accommodating. And now you're playing the kind of in a position of authority and you know, you you're a little stern and you potentially
threatened, not in a violent way. But you know, Hey, you know you need to help me, or you could have issues with your your job type stuff.
If that's then not allowed in. That receptionist,
you know, gets in touch with a Nen vivid jewel, and you're throwing off the premise or hauled into a Charles office because they think you're an employee or something like that. And then you have issues. And suddenly your point of contact can't remember
whether or not they allowed or didn't allow that that could become problematic and then content limitations. Air Bigas. Well, I've seen it with some off the shelf solutions. You have the ability to turn on phishing emails and fish testing that involves profanity
that may not be applicable in every organization that needs to be discussed on a case by case basis. With the party that you're testing, you need to take into consideration the atmosphere, the environment, any regulations in that area,
and I always tread lightly with content involving drugs, profanity, um, inappropriate content that could involve nudity or something of that nature. You always want to be
upfront. 100% transparent, and I would even go as far as if your, uh, client that's giving you permission to do this testing. I would even get communications for such content, showing that they confirm receipt of the content, that they understand what the content is
and that they approve. If the contents used for testing that, that's just a way to protect yourself ultimately and ensure that you don't end up in any hot water.
So let's go ahead and talk about the social engineering tool kit or set for short. Um, the social engineering tool kit is open source. Uh, and it's four penetration testing and social engineering.
So it's got several customer attacked vectors and allow you
thio make a believable attack in the fraction of atomic would take you if you were doing it with just a standard email or you know something of that nature, so it will help you. D'oh build payloads. It'll and it'll allow you to do infectious media generation, so
it'll do spearfishing attacks with attacks. You can clone sites do things of that nature, infectious media generator, payload and listener generators, so it will not only create the payload. Um, that a particular person or target would click on.
But then it will also allow you to set up the listener from your system so that when those connections are potentially made,
um, it will pick up that connection. You can do a mass mail or attack. It has some capability to do SMS spoofing attacks. So we talked about swishing and text message type attacks.
And so, if you know you've been doing social engineering for a while, and you've kind of been doing things through your own means, so generating your own payloads or generating your own infectious media,
you know this is definitely something to look at. It can provide again. Cem Cem Quicker turnaround time on different types of attacks,
and it's a very streamlined, semi gooey based interface on the tool. So keep in mind if you get into doing some testing that the scent tool kit is definitely worth looking at
and definitely worth using in your tests. So let's do a quick check on learning what type of social engineering attack
involves the use of a credible story
to try and gain trust with the potential victim.
All right, so take a moment if you need to and polish the video. So social engineering tax that involved the use of credible stories or pretexting
are going to be the ones that that we're using here. To gain trust of potential victims, fishing is typically again. Take action now limited time on Lee
Babying involves the use of media left in different places with juicy bits of information on it that someone would try and maybe access, and then that would be an end in them being infected or having an issue. Tailgating is when we physically try to access, uh
on environment by posing as an employee or following people in and taking advantage of trust.
All right, everyone. So in summary, we discussed tailgating today, permission to test language, and we looked at the social engineering tool kit. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.