<!--// Extrapaint.com //-->

Weighing Attack Surfaces

by Erik Paulsen

More often than not, I'm asked if a target can be hacked [by me]. No, I'm not talking about Target superstores (BTW, yes! They still have yet to get serious about #InfoSec! :D Lulz), but if a certain person can be hacked- and if I'll do it.

The answer is no- but there are plenty of ways you can do it yourself. DIY is Da-Shit (a 'Da-Bears' and 'Da-Bulls' ref to the Chi), and let me boil down the laymens aspect first. Have you heard what social engineering can do for you?

Example A: I have an enemy (? why you got enemies dude? You an asshole?)

Phonecall originating from a VoIP provider, providing bullspit Caller ID info (Yes, it is still the '90's as far as telco's think): This is Jared Fakelastname calling from Holeinthewall Financial. Is this TargetsName? I'm calling reguarding a private billing matter. (Confirm target) I need to confirm the last four digits of your social security number.... [lulz] (If they readily provide their last four of their social, than probe them for more :D ) ["]And I show your contact information as [telephone number including area code].. can you confirm your home address (substitute for needed info- you should already have most info you need by this time).. (If they keep telling you stuff, just keep asking, giving minimal reasoning. Otherwise follow your plan for 'collecting'. You need payment ASAP to avoid X- vehicle repo, mark on their credit score for collections, blah bi di blahblah-- You're extracting intel mofo'!)

Any refutation results in the flip of the script [like a worthless debt collector]: (Confirm the name of the Target) (Assert the billing status is past due but you can work out bulling issues BUT) You need to confirm the last four digits of your Soc first.

[75% success - Continue]

Ex. A Q&A:

Why the hell do I want their social?
Because every utility company will want to confirm this for billing inquiries.

Why do I want to inquire about someones fucking bill?
To pwn them.

What if I already know their social?
Why the fuck are you asking me for advice?

`


Powered by Raspberry Pi, PocketC.H.I.P., Arch Linux, Ubuntu, ViM, Let's Encrypt, and 12 years of Linux experience.
© 2012-2017 Erik Paulsen

IP address 54.224.121.67
Hostname ec2-54-224-121-67.compute-1.amazonaws.com
User-Agent CCBot/2.0 (http://commoncrawl.org/faq/)