Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Social Engineering - information disclosing by phone
From: "Shomiron Das Gupta" <chaff0 () gmail com>
Date: Sun, 28 Dec 2008 00:00:31 +0530

Hey Taras,

Compliments of the season, most clients we have worked for typically
look at security as a technical 'only' subject. However we have died
and born again explaining the social (larger) aspect of security.


On 12/25/08, Taras P. Ivashchenko <naplanetu () gmail com> wrote:
Hello, list!

What do you thing about such step of pentest as information disclosing by
Yes, of course everybody watched "Hackers" with Jolie and Miller and
remember moment
when when some security officer told number of modem by telephone.
But it's cinema and what about real life?

In Penetration Testing Framework [1] we can read:


IT Department.
"Hi, it's Zoe from the helpdesk. I am doing a security audit of the network
and I need to re-synchronise the Active Directory usernames and passwords.

This is so that your logon process in the morning receives no undue delays"

If you are calling from a mobile number, explain that the helpdesk has been
issued a mobile phone for 'on call' personnel.


Contact Details
 - Name
 - Phone number
 - Email
 - Room number
 - Department
 - Role

[1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html

What in your opinion we can take (in pentest) from such method of S.E.?
Does anybody knows Mitnick here? Please, call him =)

Тарас Иващенко (Taras Ivashchenko), OSCP
"Software is like sex: it's better when it's free." - Linus Torvalds

Sent from my mobile device

 He who lives dangerously,
 rocks the world!!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]