NOTES ON HOW TO PASS D484 Penetration Testing (Cert Master
PenTest+) Western Governors University
D484 Notes
CertMaster PenTest+
Lesson 4: Evaluating Human and Physical Vulnerabilities
Using Social Engineering
- Social engineering used 80% of the time by malicious actors, it is extremely
effective.
- Anyone in the org can be used during the PenTest exercise (as long as in
scope)
- Be aware of the actions you take that can affect others
- Project scope might prohibit certain tactics
- Social engineering attacks share basic components
1. Prior to attack, evaluate potential targets and determine susceptibility to
types of social engineering. Also evaluate target’s awareness of
technology and cybersecurity.
2. Psychological manipulation and exploit human’s willingness to place
trust in others.
3. Pretexting – communicate directly or indirectly, a lie or half-truth in
order to get someone to believe a falsehood.
4. Getting to know the target on a personal level, using social media or
other methods.
▪ Once you’ve gained trust, motivate the target to take some
action or provide useful info.
5. Elicitation – acquiring data from the target in order to launch an attack.
(different from info about the target) Attempt to learn useful info by
contacting people who may provide insights:
▪ Request – a social engineer in a trusted positions ask the target
for info
▪ Interrogation – social engineer poses as an authority figure to
obtain actionable intel
, ▪ Surveys – used to informally collect data from the target
▪ Observation – examines target’s behavior and day-to-day
routine in a particular environment
- Elicitation is useful when used in phishing variant “business email
compromise (BEC)”
1. Attacker impersonates a high-level executive or hijack their email
account, then sends an email making it seem legitimate to cause
someone to do something.
- Hoax – Attacker presents a fictitious situations as real.
1. Popup saying presence of malware on system
2. Email claiming to be from Amazon stating the target’s account has
been flagged for suspicious activity
, 3. Blog post claiming the most computer performance issues are a result of
RAM that has not been “cleaned”.
Phishing, Pharming, and Baiting the victim
- Phishing – social engineering attack where malicious actor communicates
with the victim from a supposed reputable source.
1. Most common and effective tactics
2. Spoofing the FROM headers
- Pharming – attacker entices victim into navigating to a malicious web page.
- Baiting – attacker will leave bait in an area where a victim can find the device
1. Most common form is USB drop key attack
- Vishing – VoIP phishing
Employing Charm, Power, and Influence
- Malicious actors couple pretexting and impersonation to craft a believable
scenario and impersonate various characters.
- Impersonation is done using phone or email.
- Malicious actors leverage how humans interact with groups.
1. Social proof – when someone copies the actions of others to appear
competent or cooperative in the eyes of others.
2. Likeness – demonstrating that you can conform with the group to
increase your likeability.
Exploiting Physical Security
- Assessing an organization’s physical security many times is part of a
comprehensive PenTest.
- Important to review project scope and outline specifics of what is to be
included.
- Examples of tasks:
1. Taking pictures of restricted areas and proprietary equipment
2. Stealing devices, documents and electronic data
3. Accessing restricted systems
4. Planting keyloggers
5. Bypassing security cameras
6. Gaining access to server room and utility closets
- Evaluate physical security controls:
1. Door and hardware locks,
2. Video surveillance cameras inside and out
3. Security guards
4. Lighting
5. Physical barriers
6. Alarms and motion sensors
Circumventing Security
- Prior to attempting a physical breach, scope out the facility and security in
place
, - Many places have perimeter security to deter someone from entering, asses
whether there are impediments to entrances and other restricted areas.
- If there are fences evaluate feasibility of scaling the fence
- Facilities might have motion detection systems in place, evaluate the sensors to
see if someone can bypass the system and whether or not there are any blind
spots.
- Other security measures include badges and team should assess the
feasibility of cloning a badge.
Cloning a Badge
- In some facilities, all employees are required to wear a badge so that they
can easily be identified.
- Some badges are just plastic, but there are ones that use RFID.
- If a facility is using a badge system, malicious actors can either steal or clone a
badge to circumvent security.
- Badge cloning – act of copy authentication data from an RFID
badge’s microchip to another badge.
- Badge cloning is most effective on badges that use 125kHz EM4100
technology.
- Team will want to evaluate the use of badges in a facility.
Gaining Access
- Team will need to evaluate how secure the door are in the facility.
- If there are door locks, evaluate the type that is in use to determine method to
gain access. Most common lock is the standard key lock.
- Lock picking uses specialized tools to manipulate the components of a lock in
order to gain access to a restricted area.
- Keyless locks such as combo locks, access card locks, and biometric
scanners must be either destroyed or bypassed.
- Tailgating and piggybacking re other examples of how you can gain access
to a facility s part of a physical attack.
- Tailgating – malicious actor slips in through a secure area while covertly
following an authorized employee who is unaware that anyone is behind
them.
1. Required several factors to be effective
▪ Door must close slowly
▪ Tailgated employee isn’t paying attention
▪ No guard or other personnel on the other side.
- Piggybacking
1. Target knows someone is following behind them
Searching for Information
- Some cases, organization might not properly dispose of sensitive business
documents, storage drives, and computer equipment.
- Dumpster diving – act of searching the contents of trash containers for
something of value.
PenTest+) Western Governors University
D484 Notes
CertMaster PenTest+
Lesson 4: Evaluating Human and Physical Vulnerabilities
Using Social Engineering
- Social engineering used 80% of the time by malicious actors, it is extremely
effective.
- Anyone in the org can be used during the PenTest exercise (as long as in
scope)
- Be aware of the actions you take that can affect others
- Project scope might prohibit certain tactics
- Social engineering attacks share basic components
1. Prior to attack, evaluate potential targets and determine susceptibility to
types of social engineering. Also evaluate target’s awareness of
technology and cybersecurity.
2. Psychological manipulation and exploit human’s willingness to place
trust in others.
3. Pretexting – communicate directly or indirectly, a lie or half-truth in
order to get someone to believe a falsehood.
4. Getting to know the target on a personal level, using social media or
other methods.
▪ Once you’ve gained trust, motivate the target to take some
action or provide useful info.
5. Elicitation – acquiring data from the target in order to launch an attack.
(different from info about the target) Attempt to learn useful info by
contacting people who may provide insights:
▪ Request – a social engineer in a trusted positions ask the target
for info
▪ Interrogation – social engineer poses as an authority figure to
obtain actionable intel
, ▪ Surveys – used to informally collect data from the target
▪ Observation – examines target’s behavior and day-to-day
routine in a particular environment
- Elicitation is useful when used in phishing variant “business email
compromise (BEC)”
1. Attacker impersonates a high-level executive or hijack their email
account, then sends an email making it seem legitimate to cause
someone to do something.
- Hoax – Attacker presents a fictitious situations as real.
1. Popup saying presence of malware on system
2. Email claiming to be from Amazon stating the target’s account has
been flagged for suspicious activity
, 3. Blog post claiming the most computer performance issues are a result of
RAM that has not been “cleaned”.
Phishing, Pharming, and Baiting the victim
- Phishing – social engineering attack where malicious actor communicates
with the victim from a supposed reputable source.
1. Most common and effective tactics
2. Spoofing the FROM headers
- Pharming – attacker entices victim into navigating to a malicious web page.
- Baiting – attacker will leave bait in an area where a victim can find the device
1. Most common form is USB drop key attack
- Vishing – VoIP phishing
Employing Charm, Power, and Influence
- Malicious actors couple pretexting and impersonation to craft a believable
scenario and impersonate various characters.
- Impersonation is done using phone or email.
- Malicious actors leverage how humans interact with groups.
1. Social proof – when someone copies the actions of others to appear
competent or cooperative in the eyes of others.
2. Likeness – demonstrating that you can conform with the group to
increase your likeability.
Exploiting Physical Security
- Assessing an organization’s physical security many times is part of a
comprehensive PenTest.
- Important to review project scope and outline specifics of what is to be
included.
- Examples of tasks:
1. Taking pictures of restricted areas and proprietary equipment
2. Stealing devices, documents and electronic data
3. Accessing restricted systems
4. Planting keyloggers
5. Bypassing security cameras
6. Gaining access to server room and utility closets
- Evaluate physical security controls:
1. Door and hardware locks,
2. Video surveillance cameras inside and out
3. Security guards
4. Lighting
5. Physical barriers
6. Alarms and motion sensors
Circumventing Security
- Prior to attempting a physical breach, scope out the facility and security in
place
, - Many places have perimeter security to deter someone from entering, asses
whether there are impediments to entrances and other restricted areas.
- If there are fences evaluate feasibility of scaling the fence
- Facilities might have motion detection systems in place, evaluate the sensors to
see if someone can bypass the system and whether or not there are any blind
spots.
- Other security measures include badges and team should assess the
feasibility of cloning a badge.
Cloning a Badge
- In some facilities, all employees are required to wear a badge so that they
can easily be identified.
- Some badges are just plastic, but there are ones that use RFID.
- If a facility is using a badge system, malicious actors can either steal or clone a
badge to circumvent security.
- Badge cloning – act of copy authentication data from an RFID
badge’s microchip to another badge.
- Badge cloning is most effective on badges that use 125kHz EM4100
technology.
- Team will want to evaluate the use of badges in a facility.
Gaining Access
- Team will need to evaluate how secure the door are in the facility.
- If there are door locks, evaluate the type that is in use to determine method to
gain access. Most common lock is the standard key lock.
- Lock picking uses specialized tools to manipulate the components of a lock in
order to gain access to a restricted area.
- Keyless locks such as combo locks, access card locks, and biometric
scanners must be either destroyed or bypassed.
- Tailgating and piggybacking re other examples of how you can gain access
to a facility s part of a physical attack.
- Tailgating – malicious actor slips in through a secure area while covertly
following an authorized employee who is unaware that anyone is behind
them.
1. Required several factors to be effective
▪ Door must close slowly
▪ Tailgated employee isn’t paying attention
▪ No guard or other personnel on the other side.
- Piggybacking
1. Target knows someone is following behind them
Searching for Information
- Some cases, organization might not properly dispose of sensitive business
documents, storage drives, and computer equipment.
- Dumpster diving – act of searching the contents of trash containers for
something of value.
