Home page logo

pen-test logo Penetration Testing mailing list archives

Social Engineering - information disclosing by phone
From: "Taras P. Ivashchenko" <naplanetu () gmail com>
Date: Wed, 24 Dec 2008 23:34:33 +0300

Hello, list!

What do you thing about such step of pentest as information disclosing by phone?
Yes, of course everybody watched "Hackers" with Jolie and Miller and remember moment
when when some security officer told number of modem by telephone.
But it's cinema and what about real life?

In Penetration Testing Framework [1] we can read:


IT Department.
"Hi, it's Zoe from the helpdesk. I am doing a security audit of the network
and I need to re-synchronise the Active Directory usernames and passwords.

This is so that your logon process in the morning receives no undue delays"

If you are calling from a mobile number, explain that the helpdesk has been
issued a mobile phone for 'on call' personnel.


Contact Details
 - Name
 - Phone number
 - Email
 - Room number
 - Department
 - Role

[1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html

What in your opinion we can take (in pentest) from such method of S.E.?
Does anybody knows Mitnick here? Please, call him =)

Тарас Иващенко (Taras Ivashchenko), OSCP
"Software is like sex: it's better when it's free." - Linus Torvalds

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]