The Human FirewallMaintaining Your Guise As A Social Engineer

Tim Roberts / Brent WhiteOffensive Security Consulting Services -

Solutionary

• What to do as a Penetration Tester• Moving beyond “Intuition Alarms”

• Rebuttals to being “caught”.

• Client: Security Awareness• Knowing our methods to strengthen your Security Awareness

Program

Objectives…

Hacker: “Just to validate, I need you to confirm your password.”

Target: “I’m sorry, I cannot give that to you over the phone…Who did you say this is?”

from: Tom Hacker <hackert@targetdomain.net>---employee@targetdomain.net: “Umm…who is Tom Hacker? I don’t see him in Global.”

Dilemma… “Experience has shown, and a true philosophy will always show, that a vast, perhaps the larger portion of the truth arises from the seemingly irrelevant.”

– Edgar Allen Poe

Hacker: “Just to validate, I need you to confirm your password.”

Target: “I’m sorry, I cannot give that to you over the phone…Who did you say this is?”

Example Situational Responses:

Answer Approach“This is Kevin James from Help Desk.” Note: Kevin James should be a real employee of whom you are impersonating.

Diversion Approach“And that is the answer we were looking for. Good job!”

• Note: In the case of a Cold Call, you should consider ending on this note and wrapping up the conversation.

Dilemma Responses

The ability to “roll with the punches” helps to avoid backing yourself up into a corner. Often times we will want to avoid the question all together or come back with one of the following:

“Answer”: Use diplomacy.

“Block”: Stop the conversation.

“Counter”: Answer a question with a question.

“Diversion”: Hey, look over there…

Skills and Traits: Improv

Remote Guise

• Employee• Hostname• Name, Department (HR, IT,

Security etc.) , Signature Block• Phone Number

• Auditor / Assessor• External (NIST etc.)• Internal (Corporate)

Physical Guise

• Employee• Name, Department, Dress Code, Supervisor

(Name drops)

• Vendor• Legit: Look at Vendor Log• “Wondering Salesman”• Physical Security Contractor• Maintenance• Lawn Care• Cleaning Crew

Fake Badges and Pigs

Proximity badge cloning is possible and publicly available.

As simple as:• Using a blank HID Proximity badge• Adhesive printer paper• Photoshop skills.• Local print company

Why have a fake badge?

• Less likely that an employee or a security guard is going to stop you, if they see a badge.

• How often do employees actually pay attention to the response of the badge reader?• Red/green light and “Error” tone

Identifying Attackers: Pig Hunting

How to identify piggybacking:• Suspicious Activity

• Hanging around the door (waiting)• Following close • Inconvenienced by inquiries• High sense of urgency• No badge

Identifying Attackers: Badges

How to identify fake badges:• Flipped over • Covered badge

(card, family photo etc)• Photo inconsistency• Does it work?

How to prevent cloned badges:• Where is your badge?• Why is this guy rubbing up against me?• Who is that carrying a weight scale around

with them?• Don’t always go cheap.

Be Skeptical

Calmly and patiently listen to what others have to say, and recognizing when they’re feeding you garbage.

“It’s not what you give. It’s how you give it.” – Bruce Lee

www.solutionary.com // @ZanshinH4x | @brentwdesign | www.wehackpeople.com