Social Engineering - from recon to execution

When (day):
8th - Monday
At:
16:00 - 17:00
Watch
Zoom link will be available very soon



Session Video

Notable logs from the chat during the session

Challenges: https://drive.google.com/drive/folders/1QRYT7Aory-Lr_pUCRZxYXUhbHLrP3g9b?usp=sharing
17:08:37 From Didar Gelici : https://themanyhats.club/
17:10:07 From WallabyCurtis : https://tracelabs.org/
17:39:20 From karenzapata : https://www.hunch.ly/
17:41:13 From didymus : Buscador is real out of date. There is a walk through for a similar VM in his book.
17:49:02 From Apoorva : Any good open source tool to do the mind mapping as mentioned in the previous slide?
17:50:10 From didymus : Apoorva: draw.io, maltego
17:57:39 From didymus : Would you put all of these specific points of data into an actual file (like tattoos)? I’m just wondering how or if you balance what might be more or less relevant.
17:58:09 From didymus : I just picked tattoo cus its real specific
17:59:39 From didymus : Ok, do you ever encounter a bit of information that you at first thought was unimportant and irrelevant but was later found to be very useful?
18:03:18 From 名無し : HR peeps the best way to recon
18:04:17 From 名無し : Pretend like you are pizza boy \ 18:05:15 From 名無し : security token on Github LOL
18:12:19 From didymus : Are there decent tools for “cloning” someones voice? Or “deepfake” video calls? I’ve read about some but I don’t know if they actually are ready to use in this context yet. I think I’ve heard about them being used to phish CEOs but I cant remember the specific instance.
18:13:44 From didymus : Yeah, Lyrebird looks like it requires minimal data.
18:13:58 From didymus : https://www.descript.com/lyrebird-ai
18:14:53 From didymus : Yeah, a lot of those indian phishers use a fake 2fa text to give credability
18:15:31 From didymus : Jamtara: Sabka Number Ayega is a Netflex series about phishing
18:17:44 From didymus : Are there any physical entry tools (like bypass or whatever) that you always carry or find to be the most important?
https://twitter.com/xxByte/status/1269619371409903616
18:21:53 From WallabyCurtis : Any suggestions on getting into badge cloning?
18:23:24 From didymus : WallabyCurtis https://www.proxmark.com/
18:27:49 From 名無し : What if you crack/hack Building Management System and you could create you own access card? Doest that work? 18:34:44 From didymus : Why do you think the “suspicious activity” angle works so well?
18:35:50 From didymus : (in phishing emails)
18:39:39 From Apoorva : Any good online sources to check/practice phishing campaigns ?
18:47:31 From Didar Gelici : #firstdayatwork
18:47:53 From Didar Gelici : for good badge photos
18:47:59 From Jemma Davis : On location settings for apps, if you select allow when using app, does that mean active use or sharing location even when app is running in the background?
18:52:51 From didymus : what is an instance where youd use canary tokens in terms of subverting someones osint on you? 18:53:21 From WallabyCurtis : Any suggestions other than catalogs for leaking disaddresses as leaks?
18:53:50 From didymus : also, prepaid CCs that don’t require signup
18:54:01 From didymus : like Visa Vanilla
18:54:55 From 名無し : Shodan FTW
18:57:59 From WallabyCurtis : What’s the best way to check these emails?
18:58:25 From 名無し : PyMail Analyzer
18:59:35 From didymus : that’s a good idea sending self emails
18:59:58 From karenzapata : https://docs.google.com/spreadsheets/d/1JxBbMt4JvGr--G0Pkl3jP9VDTBunR2uD3_faZXDvhxc/edit?usp=sharing 19:00:28 From didymus : I think they mean fake addresses
19:00:32 From didymus : “disinfo addresses”
19:01:18 From WallabyCurtis : Perfect, thank you.
19:04:38 From didymus : https://drive.google.com/drive/folders/1QRYT7Aory-Lr_pUCRZxYXUhbHLrP3g9b

About this talk:

Stuart Peck - Director of Cyber Security Strategy for ZeroDayLab and 3 x winner of Tracelabs Missing Person Global CTF, will take you through the techniques used by attackers to social engineer targets. What you will learn:

  • OSINT- Recon techniques
  • How attackers create pretexts
  • Case Studies learning from Physical Social Engineering, Telephone Social Engineering (Vishng) and Phishing
  • Social Engineering Defense tactics
  • Q&A

Back to list of all Training Sessions