Extreme Pentest

I recently came across this blog entry from the SNOsoft research team (aka NetraGard) describing in some detail a rather extensive penetration test for a 'mid-sized' bank.

The pentest was undertaken to not to identify all points of risk, but instead was to identify how deeply the pentesters could penetrate. The unusual approach and the use of social networking reconnaissance and social engineering that caught my eye:

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

From there they were able to identify key employees and eventually email a dodgy trojan pdf that could evade the companies AV and eventually capture the DCs. Game Over.

I doubt many companies would have an external party go to this extreme to test their defences, even banks. I wonder how many companies would have sufficient defences to resist this type of assault?

They also have an interesting blog post entitled “FaceBook from the hackers perspective“ that is worth a read.

0 comments:

Post a Comment