POINT OF VIEWIsn’t Social Engineeringthe Safest Form of Pen<strong>Testing</strong>?If it’s permitted, registered and certified, it’s pentesting, and if it’snot, it’s just plain words scary hacking.One might argue over this, but for a student anda budding pentester like me, this is the truthand holds water. Social engineering won’t callyour work illegal unless you harm someone personallyor cause some financial loss. Plus, since you don’t havecertifications at competitive prices, no one even wantsyou to be a certified Social Engineer at that unaffordableprice.As a learner I don’t think any of the two shouldbe your main concerns. Just knowing the passwordand some browsing using it should be enough for anencouragement. I can get someone drunk and get hispasswords rather than doing phishing and other stuff.Getting picked up by girls from a bar and then usingtheir laptop or desktop with an excuse to check mymails is what I have been doing lately. The fun part is todiscover the lover’s files and saved passwords… Okay,maybe I am not being picked up by girls in the bar, butthey do give me their laptops to use the Internet (not inthe bar of course, well the bar was supposed to soundcool). Anyways, other moves are: offering my laptop toothers to change passwords or login into any account.Some smart ones check the anti-virus inclusion list totrack keyloggers, some trust me, others have not heardabout firefox addons, or the changed script that enablesstoring all passwords without offering to remember.Trojans haven’t helped me much, nor has any exploitfrom Metasploit that I know of (some 3 or 4), exceptfor my own virtual machine which has no anti-virus.Accessing other PCs myself than accessing it remotelyhas so far worked pretty good for me. I’m often filledwith guilt that I make friends just to add them to mystolen passwords list… But that’s a different story, let’snot get there. Watching desktop screens of your friendsat night and clicking their picture remotely at that verymoment aren’t on the list of the most interesting things,but one still might enjoy doing it for fun and, of course,learning. But try not to go for the easy way, which isimplanting the .pdf in your friend’s laptop, who uses anolder version of Adobe Reader. Removing my devicefrom my friend’s Facebook was the coolest correctionthat I’ve done so far (oh, try Konqueror, it impressedme). Getting the phone number to stay in touch is easy,then updating Facebook status from that number is somuch fun, thanks to the websites the names of whichcan’t be disclosed here.Moving on, the only method I’ve found to protect myown Facebook wall from sms spoofing is by not sharingmy phone number with anyone. Sms spoofing is so easy,simple and free a non-geek can do it. Against caller idspoofing, those who can crack astrisk aren’t idle enoughto try me, so I feel pretty much safe. I am not so sure ifFacebook knows they have this vulnerability, since it’sstill on the go. I really hope they buy this issue.Upon being caught when the secret was somehowrevealed to people, saying that I was pentesting your05/2011 (5) SeptemberPage 4 http://pentestmag.com
things to improve your security has saved me manytimes from beatings, but with practice it happens lessoften these days. I hope my actions have been legal sofar, I’m not looking forward to do anything illegal, justbrushing up some skills. One of my idols Kevin Mitnikscares me these days with his you should not do thosemistakes that I did types, I am pretty much concernednow, and scared too often. This legal-illegal issue is themost repulsive thing in a budding pentester’s life likemine. Never have I done any harm to anyone, evenwith those still-working passwords in my system, noneof those people have ever faced any problems so far,they don’t even know about it (yet), in fact many gotimproved security features in their accounts but it canstill be looked at as illegal.I took a course for International Certification assumingit will make it easy for me to get permission fromauthorities to practice with them, but my trainers weredoing fraud in the name of that false certification, sonow I have even lost that hope too, humph! I’m lookingforward to platforms like Hatforce, thanks to Arthur(see this issue). As a Non-Certified Infosec Pro, SocialEngineering is what I feel best to practice and withpositive results it’s always encouraging. And again,nothing illegal has been done so far, and none to behappening in the future either.ANKIT PRATEEK, RHCE,CISPIn the next issue ofHacking Applemagazine:Available to downloadon September 30 thSoon in Hakin9!TOR Project, Botnets, Social Network <strong>Security</strong>, Hacking Apple, Biometrics, Rootkits, Debugging/Fuzzing, SQL Injection, Stuxnet, Hacking Facebook, Port scanner, IP scanners, ISMS, <strong>Security</strong>Policy, Data Recovery, Data Protection Act, Single Sign On, Standards and Certificates, Biometrics,E-discovery, Identity Management, SSL Certificate, Data Loss Prevention, Sharepoint <strong>Security</strong>,Wordpress <strong>Security</strong>If you would like to contact Hakin9 team, just send an email toen@hakin9.org. 05/2011 (5) September We will reply a.s.a.p.Page 5 http://pentestmag.com