Exploiting Physical and Social Vulnerabilities Flashcards
Cynthia wants to use a phishing attack to acquire credentials belonging to the senior leadership of her target. What type of phishing attack should she use?
a. Smishing
b. VIPhishing
c. Whaling
d. Spear phishing
c. Whaling is a specialized form of phishing that targets important leaders and senior staff. If Cynthia was specifically targeting individuals, it would be spear phishing. Smishing uses SMS messages, and VIPhishing was made up for this question.
Mike wants to enter an organization’s high-security data center. Which of the following techniques is most likely to stop his tailgating attempt?
a. Security cameras
b. A security vestibule
c. An egress sensor
d. An RFID badge reader
b. A security vestibule allows only one individual through at a time, with doors at either end that unlock and open one at a time. It will prevent most piggybacking or tailgating behavior unless employees are willfully negligent.
Which of the following technologies is most resistant to badge cloning attacks if implemented properly?
a. Low-frequency RFID
b. Magstripes
c. Medium-frequency RFID
d. Smartcards
d. Most organizations continue to use RFID or magnetic stripe technology for entry access cards, making a penetration tester’s job easier, since both technologies can be cloned. Smart cards are far more difficult to clone if implemented properly
Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely. Jen wants to send a phishing message to employees at the company. She wants to learn the user IDs of various targets in the company and decides to call them using a spoofed VoIP phone number similar to those used inside the company. Once she reaches her targets, she pretends to be an administrative assistant working with one of Flamingo’s senior executives and asks her targets for their email account information. What type of social engineering is this?
a. Impersonation
b. Interrogation
c. Shoulder surfing
d. Administrivia
a. Jen is impersonating an administrative assistant. Interrogation techniques are more aggressive and run the risk of making the target defensive or aware they are being interrogated. Shoulder surfing is the process of looking over a person’s shoulder to acquire information and administrivia isn’t a penetration testing term.
Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely. Jen wants to deploy a malicious website as part of her penetration testing attempt so that she can exploit browsers belonging to employees. What framework is best suited to this?
a. Metasploit
b. BeEF
c. SET
d. OWASP
b. The Browser Exploitation Framework, or BeEF, is specifically designed for this type of attack. Jen can use it to easily deploy browser exploit tools to a malicious website and can then use various phishing and social engineering techniqes to get Flamingo employees to visit the site.
Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely. After attempting to lure employees at Flamingo, Inc. to fall for a phishing campaign, Jen finds that she hasn’t acquired any useful credentials. She decides to try a USB key drop. Which of the following Social-Engineer Toolkit modules should she select to help her succeed?
a. The website attack vectors module
b. The Infectious Media Generator
c. The Mass Mailer Module
d. The Teensy USB HID attack module
b. Jen should use the infectious media generator tool, which is designed to create thumb drives and other media that can dropped on-site for employees to pick up. The Teensy USB HID attack module may be a tempting answer, but it is designed to make a Teensy (a tiny computer much like an Arduino) act like a keyboard or other human interface device rather than to create infected media. Creating a website attack or a mass mailer attack isn’t part of a USB key drop.
Chris sends a phishing email specifically to Susan, the CEO at his target company. What type of phishing attack is he conducting?
a. CEO baiting
b. Spear phishing
c. Phish hooking
d. Hook SETing
b. Chris is conducting a spear phishing attack. Spear phishing attacks target specific individuals If Chris was targeting a group of important individuals, this might be a whaling attack instead. CEO baiting, phish hooking and Hook SETing were all made up for this question.
Frank receives a message to his cell phone from a phone number that appears to be from the IRS. When he answers, the caller tells him that he has past due taxes and is in legal trouble. What type of social engineering attack has Frank encountered?
a. A spear phishing attack
b. A whaling attack
c. A vishing attack
d. A SMS phishing attack
c. Frank has encountered a vishing attack, a type of attack conducted via phone that often relies on a perception of authority and urgency to acquire information from its targets. A spear phishing attack targets specific individuals or groups, and whaling attacks are aimed at VIPs, neither of which are indicated in the question. The attack is via voice, not SMS, ruling that answer out too.
Emily wants to gather information about an organization but does not want to enter the building. What physical data gathering technique can she use to potentially gather business documents without entering the building?
a. Piggybacking
b. File surfing
c. USB drops
d. Dumpster diving
d. Emily can try dumpster diving. An organization’s trash can be a treasure trove of information about the organization, its staff, and its current operations based on the documents and files that are thrown away. She might even discover entire PCs or discarded median.
Cameron sends a phishing email to all of the administrative assistants in a company. What type of phishing attack is he conducting?
a. Whaling
b. Vishing
c. A watering hole attack
d. Spear phishing
d. Spear phishing is targeted to specific populations, in this case, administrative assistants. Whaling targets VIPs, vishing is done via phone calls, and a watering hole attack leverages a frequently visited site or application.
Which social engineering motivation technique relies on persuading the target that other people have behaved similarly and thus that they could too?
a. Likeness
b. Fear
c. Social proof
d. Reciprocation
c. Social proof relies on persuading an individual that they can behave in a way similar to what they believe others have. A social proof scenario might involve explaining to the target that sharing passwords was commonly done among employees in a specific circumstance or that it was common practice to let other staff in through a secure door without an ID.
Megan wants to clone an ID badge for the company that she is performing a penetration test against. Which of the following types of badge can be cloned without even touching it?
a. Magstripe
b. Smartcard
c. RFID
d. CAC
c. RFID badges are wireless and can sometimes be cloned from distances up to a few feet away. Magstripe cards need to be read with a magnetic stripe reader. smartcards provide additional security that make them difficult to clone, and CAC cards are the U.S. government’s smartcard implementation.
Allan wants to gain access to a target company’s premises but discovers that his original idea of jumping the fence probably isn’t practical. His new plan is to pretend to be a delivery person with a box that requires a personal signature from an employee. What technique is he using?
a. Authority
b. Pretexting
c. Social proof
d. Likeness
b. Allan is using a pretext to gain access to the organization. Claiming to be a delivery person who needs a specific signature may get him past the initial security for the organization. He is not claiming particular authority, providing social proof that others allow him in, or claiming he is similar to the security person or receptionist.
Charles sends a phishing email to a target organization and includes the line “Only five respondents will receive a cash prize.” Which social engineering motivation strategy is he using?
a. Scarcity
b. Social proof
c. Fear
d. Authority
a. Scarcity can be a powerful motivator when performing a social engineering attempt. The email that Charles sent will use the limited number of cash prizes to motivate respondents. If he had added “the first five,” he would have also targeted urgency, which is often paired with scarcity to provide additional motivation.
What occurs during a quid pro quo social engineering attempt?
a. The target is offered money
b. The target is asked for money
c. The target is made to feel indebted
d. The penetration tester is made to feel indebted
c. A quid pro quo attempt relies on the social engineer offering something of perceived value so that the target will feel indebted to hem. The target is then asked to perform an action or otherwise do what the penetration tester wants them to do.
