4

I have been asked to test out any security holes for a company. I created an email account that looks similar to their IT department's address and everybody is complying :) I have only asked them to send me some simple things like their WAN IPs. I want to take it a step further though, perhaps some backdoor access? or a few files off their computer? Nothing malicious, white-hat stuff etc..

What do you guys recommend I ask for in the next email?

Duclaws
  • 43
  • 3
  • 5
    I hope you have a contract outlining your responsibilities and liabilities if you're going to be doing penetration testing or launching social engineering attacks against another company. Are you even sure that someone in authority at the company asked you to probe their security, or are you a victim of social engineering yourself? – Johnny Jun 28 '13 at 21:32
  • I do have such a contract, yes. – Duclaws Jun 28 '13 at 21:36
  • 4
    You ought to include that at the top of your vulnerability report: Company signed contract for vulnerability scan from an individual that's not sure how to conduct such a scan. Keep in mind that as you uncover vulnerabilities, your systems become a potential back door into that company's systems, so you need to make sure you have good password policies, encryption, data retention/destruction, network security, patch management, etc. Being a security tester means that you need to go the extra mile to make sure that you don't inadvertently create more exposure for the company. – Johnny Jun 28 '13 at 21:57
  • Why email them why not call? You can get a lot more information from a call with a good pretext especially if they think you're from IT. – Four_0h_Three Jun 29 '13 at 04:36

1 Answers1

8

First off what you're doing sounds like a pen. test/security test. It's very important when doing this kind of testing to ensure you have a signed off scope document from someone in authority at the company you're testing, as without that you could do something that the company wouldn't be happy with. Also without authorization from the company some actions will be in breach of local cybercrime laws.

So assuming that you've got a general authorization for "social engineering" style attacks, it would depend on your goal.

  • Asking a user to open a file which gives you access to the internal network would be one option (using something like SET or Metasploit to generate the payload
  • Ask a user to provide your their password. Depending on your scope again if successful you could then use this to access things like webmail systems to prove that attackers can gain unauthorised access to company information in this way.
Rory McCune
  • 62,266
  • 14
  • 146
  • 222
  • Yes! That's what I was looking for: something to generate a payload. I will look into SET and Metasploit. I was thinking to ask for their email password yes, but hesitant to blow my cover, and yes I do have a contract protecting the shit out of me. – Duclaws Jun 28 '13 at 21:40
  • DAMN my newb ass cant upvote you yet :( – Duclaws Jun 28 '13 at 21:42
  • 9
    @Duclaws - You can accept the answer though, which is worth 2 reputation points. You currently have 11, meaning you'd need 2 more to up-vote. You could then edit Rory's answer for spelling and grammar (if you ever watched any of his presentation videos, you'll know what I mean when I say there's no wonder commas avoid him in writing too :P) and once it's approved you get another 2 points, resulting in 15 that allows you to up-vote then. Reputation engineering FTW ;) – TildalWave Jun 29 '13 at 01:02
  • I believe SET is part of metasploit now and SET is awesome! – Four_0h_Three Jun 29 '13 at 02:34
  • 4
    @TildalWave There is no punctionation in Scotland. All words flow together into one rapid-fire stream. – Polynomial Jun 29 '13 at 11:22