Need help with pen test

Discuss the many weaknesses of browser security and ways to mitigate the threat

Re: Need help with pen test

Post by tgoe on Wed Oct 30, 2013 2:08 pm
([msg=77922]see Re: Need help with pen test[/msg])

What is your time frame? I would've been looking at social engineering by now. If it is worth the hassle, get a job there and do it from inside.
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Need help with pen test

Post by Pheo14 on Wed Oct 30, 2013 9:49 pm
([msg=77934]see Re: Need help with pen test[/msg])

tgoe wrote:What is your time frame? I would've been looking at social engineering by now. If it is worth the hassle, get a job there and do it from inside.


+7GMT, yes, I'm working from the inside :)

As far as I know, social engineering is about manipulating people, they can do that by creating a faked website or by posting links into the forum...

Anyway, there is none community interaction in the website, therefore the only way for a social engineering campaign to be conducted is by posting a link to the faked website elsewhere (it will never be posted on the main site, simply because they can't). In that case, those who fall for the trap deserve it, they should've known how to protect themselves before going online.
Pheo14
New User
New User
 
Posts: 12
Joined: Thu Oct 17, 2013 4:20 am
Blog: View Blog (0)


Re: Need help with pen test

Post by hellow533 on Wed Oct 30, 2013 10:02 pm
([msg=77935]see Re: Need help with pen test[/msg])

Pheo14 wrote:
tgoe wrote:What is your time frame? I would've been looking at social engineering by now. If it is worth the hassle, get a job there and do it from inside.


+7GMT, yes, I'm working from the inside :)

As far as I know, social engineering is about manipulating people, they can do that by creating a faked website or by posting links into the forum...

Anyway, there is none community interaction in the website, therefore the only way for a social engineering campaign to be conducted is by posting a link to the faked website elsewhere (it will never be posted on the main site, simply because they can't). In that case, those who fall for the trap deserve it, they should've known how to protect themselves before going online.

Social engineering goes much further than phishing.

"hey I'm new here, what's the login/password for the system/website/whatever?"
"Oh hey man, the username is genericname1 and the password is somepassword123"
"alright thanks!"

Once you have user access (assuming there is user access) to the system you may be able to take another step forward to admin access. A big reason I have to make REAAALLLL shitty slideshows (that eventually get remade anyway because I can't explain shit to people properly) is because of user error. "Oh, I'm going to give a username and password to some random guy in the office I don't know."

Or my favorite,
"I think I'll disable the password and mac address filter for our wireless, then bitch about any further problems such as employees loafing around and not doing work to possible security risks."
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Need help with pen test

Post by Pheo14 on Wed Oct 30, 2013 11:13 pm
([msg=77937]see Re: Need help with pen test[/msg])

hellow533 wrote:ocial engineering goes much further than phishing.

"hey I'm new here, what's the login/password for the system/website/whatever?"
"Oh hey man, the username is genericname1 and the password is somepassword123"
"alright thanks!"

Once you have user access (assuming there is user access) to the system you may be able to take another step forward to admin access. A big reason I have to make REAAALLLL shitty slideshows (that eventually get remade anyway because I can't explain shit to people properly) is because of user error. "Oh, I'm going to give a username and password to some random guy in the office I don't know."

Or my favorite,
"I think I'll disable the password and mac address filter for our wireless, then bitch about any further problems such as employees loafing around and not doing work to possible security risks."


Yes, it is indeed a good topic. However, I still can't see the point. Social engineering targeted people, correct me if I'm wrong, there are 2 kinds of campaign:
+ Online campaign: anything related to online interaction, it can be a message like hey man, give me the damn password, or even better, your company's website is at risk, here, use this special program, it'll protect you
+ Offline campaign: Physical interaction, "sir, I'm going to work late, can you hand me the office key, so that I could break into your office and steal whatever I want later?"

This is human's threats, and it is both easy and difficult to deal with. Let's say, I'm the guy in charge with attacking the system, the server is just 2 steps next to me, I can just throw it out of the window -,-, or even better, i could just ask for the username and password, and tadaa, the server is collapse.

But for what? The guy in charged of protect the server will have to be afraid of it, and yes he is, the guy is quite careful. And if he is not, then that's it, I can't do anything about the fact that he himself is vulnerable to social engineering. I can talk to him, he will listen, but he will not learn, for it is nature of man to forgive things you have no experience of.

Lastly, hey man, I'm loafting around to find good way to increase the security here, sitting behind the manager :|. It's not like I'm having a relaxing time here :|
Pheo14
New User
New User
 
Posts: 12
Joined: Thu Oct 17, 2013 4:20 am
Blog: View Blog (0)


Re: Need help with pen test

Post by tgoe on Sat Nov 02, 2013 2:03 am
([msg=77979]see Re: Need help with pen test[/msg])

Reading through this again, the apparent language barrier + ToS is thicker than my patience. :)
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Need help with pen test

Post by Pheo14 on Sun Nov 03, 2013 8:22 pm
([msg=78021]see Re: Need help with pen test[/msg])

My english is bad and I already felt bad :|. Anyway, sorry about that :|
Pheo14
New User
New User
 
Posts: 12
Joined: Thu Oct 17, 2013 4:20 am
Blog: View Blog (0)


Previous

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests