Time
52 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hey, everyone, welcome back to the course. So in the last video we started off our lab. We started taking a look at Philip Nomad again. This is a fake person. But we take started taking a look at his social media profile here and we took a look. We noticed the number of followers. We also took a look through some of his post to see, you know, Was he married or not? Does he have Children or not?
00:18
Ah, and that's where we left off in the last video.
00:21
Now this video, where to go ahead and continue on with the last couple of the other questions we wanted to address or find out the information on, um, you know, we already talked. We already took a look at where people posting on commenting on his post. We saw that we have seen that we also noticed that there was some information about Is your baby due or not? Type of thing
00:39
s. So that might have indicated. Did they have Children or not?
00:41
And then also worthy, expecting a child where they pregnant? Or maybe it's just the fact their friend's air trying to pressure them into having Children.
00:49
Now we want to start off here in this video of looking through the rest of his social media posts. So that way we can see if there's any other helpful information for us to take a look at.
00:57
So we're gonna keep scrolling down here. So we did see the thing about, you know, Of course he's married. We know that we had seen that. Okay. You know, maybe the baby's gonna be doing some point. Or, you know, maybe that, um,
01:08
you know their again, their friends are pressuring them into having Children.
01:12
So other thing I want to note in the background here, you know, we might be able to see that, You know, for example, his wife here in the phone. Oh, maybe they go to a park a lot to me. There's a park near their house that might be an avenue if we want to, like, actually make contact with this person and try to do some social engineering. Maybe we could start going to that park. We struck up a conversation,
01:30
you know, Maybe was his wife. You know, maybe she's more talkative than he is.
01:34
We could start saying, Oh, Well, what's your husband? Do you know that sort of stuff we can't even take? You know, if we're not married or we don't have a girlfriend or something or boyfriend ourselves, we could take a friend along with us and pretend we're a couple and try to do some more. She'll soon social engineering that way. So there's a lot of things we can do just off looking at the photos they have in the background. There. We start getting ideas of different ways to
01:53
attack Philip or attack his organization.
01:56
So let's keep taking a look through his other post here. Let's see what else he has.
02:00
All right, So we see a couple of things in this last post here. Number one, It looks like his car broke down, right? And then when he went to go get it repaired, you know, take it, take it to a shop, you know, basically called the shop and see what you know what pricing is or whatever. See if they have an opening. He realizes he left his phone at home,
02:19
so that might be another thing, right? Like if Phillips a difficult target for us to get at like, uh, on. We'll see later on. We'll company works for us. I won't mention it now, but, um,
02:28
if we if we think he's a high value target at that company and we really want to get access to like his phone,
02:35
we may go. So go so far as to kind of, you know, quote unquote, stalk him on social media, see that he leaves his phone at home, and then we might be able to figure out a way to, you know, again, this this part of its criminals. It's not for a pen tester is this might be something that criminal does
02:53
criminal might, you know, do some
02:54
damage to your vehicle. So you have to go to that repair shop again. And we already know that he left his phone one time. Maybe he'll leave it again at home, right? So then we might be able to do you know, again, another criminal act breaking in, getting his phone planning some kind of spyware on their whatever again. That's really drastic stuff, too. Just plant some spyware,
03:13
but you get the idea of like if somebody really, really wants to get you,
03:15
there's all these different ways that can do so. She really need to secure your information better.
03:22
All right, let's go back to our step by step lab guy and kind of just go through the rest of the lab here and see what else we need to find. We've already answered all these questions here, all the way through this question. Sick six. Now we're gonna go ahead and step nine here, click on the about tab at the top of the page.
03:36
And what we want to do is just take a look to see if we see any type of personal information about him at all. So let's go ahead, scroll Back up here to the top on. And we're just gonna click on this about Paige here at the top.
03:47
And as I mentioned, you know, you know, it's kind of goes a little slow as we scroll through this. If you're doing this on your own, if you're not using the cyber lab environment, you're just looking through your your own social media profile. It will probably go a little faster based off your connection.
04:01
All right, so we see here. You know, the question was, do we see any personal information about him. First thing that jumps out at me automatically is the date of birth. You'd be surprised how many people leave their birthdays unsecure. Well, you know, it's not secure anyways on social media, but how many people don't like sanitize had a little bit, or even use a face fake birthday like I do?
04:20
Um, so yes, by the way, my birthday. Just not any New Year's day
04:25
of, you know, whatever you're I choose eso just f y on that. Sometimes I change it up. I do like Valentine's Day or whatever. So we see his date of birth here. The other thing we see personal wise, his phone number, you know, education, that sort of stuff. All those things can lead us to getting more information about him, as well as
04:43
figuring out ways to contact him from a social engineering standpoint.
04:47
All right, You know, Step 10 here is just no dating that he works as a software engineer, so that might be an avenue in as well, right? We might be able to see what kind of meet up groups of what groups he's in on different social media platforms especially like Facebook or even like Lincoln Pages he follows.
05:04
So that might be an avenue to start up a conversation about different topics in softer engineering,
05:09
especially learning what language he uses
05:12
having those conversations. And if we're local with him, we might be able to go to meet upset. He goes to and do social engineering that way.
05:19
So the next thing is, does he speak any languages? A. Cz Well, we also see some past employers, he said. As we scroll down, this here is well on. Those might may or may not be beneficial to us. We see the company I didn't want to mention. That's Google. I didn't want to give that away. Since we're taking a look at that, we also see some other companies so we might be able to if we go on like LinkedIn,
05:38
find people that he's connected to at those companies from the past. Kind of talk about him like a You know, we have this opening at our company. We're kind of looking at Philip. We didn't want to reach out to him yet. We would just want to kind of get a gauge from people that might have known him in the past, you know, at HP or at Costa.
05:53
And, you know, can you kind of giving your feedback on you know, what are some of you know, and also on that? What I would do is I would ask, like what's a good avenue is kind of a good pickup line to get him interested in the position or kind of to reach out to him on the position. So, as an example,
06:09
let's say that that, you know, I worked with Philip at HP and I knew that feeling really, really like spending time with his wife. And he wants to work remote. But like HP was like, It's not gonna happen right. And Google even. It's like, you know, you gotta come into the office. We don't let you do remote.
06:24
And
06:25
I knew that. And so you ask me that question like, Yeah, you know what he's always wanted, Like a remote job where he can at least work remote a couple days a week and spend more time with his wife and just kind of be there and, you know, going picnic lunches or whatever. Um,
06:35
that's a valuable tool, right? so I might be ableto, you know, create a fake job, right? And then I can reach out to Philip and say, Hey, man, you know, have you ever wanted work remote? Like, I've got this cool opportunity And you know where we offer you We can let you work remote a couple days a week, or if you you know, some weeks you wanna work fully remote. We're cool with that, right? That might be enough to get Phillip to click on a malicious link.
06:56
That's, you know, quote unquote, a fake job posting.
06:59
That might be enough to get him to click on that. And then from there, you know, I could do something on his system. Right? So all those little puzzle pieces, right? That's the whole purpose of all this. We're trying to build that puzzle,
07:10
all right? We also want to take a look, you know, like, where is he located, right, Like, you know, we see, um,
07:15
you know, colleges and stuff. We have seen some employers, so we want to see, you know, does he speak of the languages? And also where is he located? At We see here. It looks like he's located in the UK or United Kingdom
07:29
for those I don't know. And then also we see he speaks English fluently, and he's also beginner and French. So that's another way we might be able to get into him, right? If let's say we speak French pretty fluently, we say, Hey, I'm trying to learn English better. Would you mind if we have, like, you know, some sky presume calls or something where we
07:46
I kind of just conversation lies while different things? That's That's another great social engineering technique that,
07:50
um, a lot of people don't don't use. Now, of course, all this when I talk about social engineering and pen testing his stuff, it's really a lot of times. It's difficult because you're on a strict timeline, a za good person, a cz working as a pen tester. A lot times it's like you had a week to do all this stuff for a couple days to do all this stuff, and you may not be able to do all these things I'm talking about.
08:11
But the Attackers they've got essentially all the time in the world, right? They can go through and do all these different things and really, really deep dive into social engineering.
08:20
All right, I'm gonna go in pasta video again. There. I see that. I've been talking quite a bit there. So again, I want to keep these sort of bite size. So that way you can watch as many as you. Can it work on your lunch break? Somebody possibly. All here. We should just have to next video on that share to wrap up this lab, so Ah, little extended here, but hopefully able to knock through these pretty quickly,
08:39
as always. Like I mentioned, weve got the step by step lab guys, you can always go through on your own without having to,
08:43
you know, go through the videos at peace.
08:46
So, as I mentioned, we're just gonna take a look at these last couple of steps in the next video.

Up Next

Online Reconnaissance

In Online Reconnaissance, Ken Underhill goes over the gathering of data through reconnaissance-related labs, with a primary focus on open-source intelligence (OSINT). He walks you through a social media profile analysis lab and a whois lab to give you a hands-on overview of information gathering.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor