In Part two we first read GPS tracking
GPS Track
You can track people in many different ways, but one way is to use a
device designed to help track a target.One such device is a GPS Tracker; for
example, the notable SpyHawk Super Track GPS Worldwide Super Track Stick USB Data Logger available from Here
Spy Hawk Super Track GPS Track Stick
Track Stick Manager employs an intuitive, simple-to-use
interface.
Exp:
The Spy Hawk Super Track GPS Worldwide Super Track Stick device itself is
lightweight and easy to use and hide. It comes with an on/off switch but has
some neat technology. When it feels movement it turns on and starts
logging. When the movement stops for a period of time, it stops logging.
Tracking the target’s movements
Google Earth map—they show speed,
times, time stopped
Zeroing in on the target’s travels
The data collection is where a social engineer will see the most benefit. Being able to track every time the CEO of the target company stopped for
coffee, what his favorite shop is, and what gym he attends can enable the
social engineer to plan an attack with the highest rate of success.
Knowing the locations and stops can tell the attacker where he or she will
have the best opportunities for cloning an RFID badge or making an
impression of a key.
Physical tools are just one part of being a successful social engineer
though.
Online Information-Gathering Tools
Information gathering is a key aspect of social
engineering.These tools can literally change the way a social engineer views and
uses data. No longer are social engineers limited to what they can find in
routine searches.
- Maltego
. Maltego is a social engineer’s dream tool. This amazing
tool is made by the guys at Paterva. Maltego has a
community edition available for free download from their website, which is
also included in every edition of BackTrack5. If you want to remove the
limitations of the free edition—like the number of transforms you can run and
saving data—spending around $600 will get you a full license.
. Here is what I was able to find in less than two
hours of searching using Maltego:
His favorite food
His favorite restaurant
His kids’ names and ages
That he is divorced
His parents’ names
His brother’s name
His religion
His favorite sports team
His whole family looked like
His past business
Why We Use Maltego?
Maltego automates much of the information gathering and large data
correlation for the user, saving hours of Googling for information and
determining how all that information correlates. Finding these data
relationships is where the real power of Maltego comes into play. Although
the mining is useful, discovering the relationships between the information
is what will help the social engineer
- Social Engineer Toolkit (SET)
Social engineers spend much of their time perfecting the human aspect of
their skills, yet many attack vectors call for the ability to produce emails or PDFs embedded with malicious code.This was the birth of the Social Engineer Toolkit. At the time of writing, SET had been downloaded more than 1.7 million times, and had quickly become the standard toolkit for
social engineering audits.
SET allows the auditor to test their clients by developing targeted emails
and then logging how many employees fall for these attacks. This
information can then be used in training to help employees see how to spot
and avoid these traps.
To perform a spear phishing attack in SET, chose option 1.After pressing
that number you are presented with a few options:
1. Perform a Mass Email Attack
2.Create a FileFormat Payload
3.Create a Social-Engineering Template
Web Attack Vector
SET also allows the auditor to clone any website and host it locally. The
power of this type of attack is that it allows the social engineer to trick users
into visiting the site under the pretense of being a developer making
changes, or even using the trick of adding or deleting one letter in the URL
but pointing people to the new site that is cloned.
To run this attack in SET you would choose option 2, Website Attack Vectors, from the main menu. Upon choosing option 2, you are presented with a fewoptions:
1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3.Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6.Return to the previous menu
To perform this attack chose option 1, and then option 2, Site Cloner. Upon choosing Site Cloner, you will be asked which website you want to
clone.
Telephone-Based Tools
people are inundated with telemarketing calls, sales pitches,
and advertisements, a social engineer needs to be skilled to use the phone
successfully in an audit. Despite these limitations, using the phone as a
social engineering tool can lead to total compromise of a company in a very
short period of time.
- Caller ID Spoofing
Caller ID has become a commonplace technology in both business and
home use. Especially now with cell phones replacing many of the land based phone lines people use, caller ID is part of daily life.Caller ID spoofing basically is changing the information that appears on
the target’s caller ID display.
- Spoof Card
One of the most popular methods of caller ID spoofing is by using a Spoof Card Using one of these cards, you call up the
800 number given to you on the card, enter your PIN, the number you want
the caller IDto display, and then the number you want to call.
- Spoof App
With so many people using smart phones like the iPhone, Android, or the Blackberry there has been an influx of apps created to assist in caller ID
spoofing. Spoof App uses Spoof Cards (see the preceding section) but
bundles the features into a package on your cell phone.
- Password Profilers
Another set of tools that bear mentioning help you profile targets and the
passwords they may use. After you have all the information on a target you
can gather, your next is to develop a profile.
Help Full
ReplyDelete