Social Engineering - Christopher Hadnagy [151]
His favorite food
His favorite restaurant
His kids’ names and ages
That he is divorced
His parents’ names
His brother’s name
Where he grew up
His religion
His favorite sports team
What his whole family looked like
His past business
A day later I mailed a package to the target containing information about a raffle for local businesses. The offer was that if he wins he gets a free dinner at the restaurant he listed as his favorite, and three free tickets to a Yankees game. All the business has to do is agree to have a short meeting with a sales rep to talk about a local charity. If the business agreed to that meeting its name would be entered into the raffle for a chance to win the Yankees tickets. My pretext’s name was “Joe” and I prepared an outline for a call to the CEO. My goal was to get him to accept a PDF from me that outlined what we want and entered him in the drawing. By the time I called, he should have received my “mailed” package and I could easily use the line, “Yes, he is expecting my call.”
While on the phone with “Joe,” the CEO accepted and opened an email containing all the raffle details as well as a maliciously encoded file, ensuring the delivery of the reverse shell, giving me access to his network.
Of course, he got nothing on his screen and was frustrated that Adobe kept crashing. I told him, “I’m sorry you are having problems opening the file; we will include your name in the raffle and mail out some additional info to you today.” But before that package went into the mail and arrived I called a report meeting to discuss how the target was completely compromised.
The majority of this success was due to the use of one tool—Maltego. It helped collect, organize, and categorize data for the best use.
How did Maltego help me succeed in this gig?
Think of Maltego as a relational database of information, finding links between bits of information on the Internet (referred to as entities within the application). Maltego also takes a lot of the hard work out of mining information such as email addresses, websites, IP addresses, and domain information. For example, you can search for any email address within a target domain or domains automatically with a few clicks. By simply adding the “EMAIL” transform on the screen then clicking in the box and typing the email I want to search for, I was given a view like what is seen in Figure 7-23.
Figure 7-23: A representation of the information you can glean from Maltego.
Why Use Maltego?
Maltego automates much of the information gathering and large data correlation for the user, saving hours of Googling for information and determining how all that information correlates. Finding these data relationships is where the real power of Maltego comes into play. Although the mining is useful, discovering the relationships between the information is what will help the social engineer.
At www.social-engineer.org/se-resources/, I have posted a few videos outlining how to use Maltego to get the most out of it. In the earlier story Maltego contributed largely to the exercise’s success, but the compromise came with another amazing tool.
SET: Social Engineer Toolkit
Social engineers spend much of their time perfecting the human aspect of their skills, yet many attack vectors call for the ability to produce emails or PDFs embedded with malicious code.
Both of these things can be done manually using many of the tools that exist in BackTrack, but when I was starting the www.social-engineer.org website I was talking to a good friend of mine, Dave Kennedy. Dave is the creator of a very popular tool called FastTrack that automated some of the most common attacks used in a penetration test using Python scripts and a web interface. I told Dave that I thought it would be a neat idea to develop something like FastTrack but just for social engineers—a tool that would allow a social engineer